Unfortunately, many medical practices proverbially-speaking, shoot themselves in the foot, and create vulnerabilities themselves, which open them up to potential cyber-attacks and HIPAA violations.
Fortunately, most of these vulnerabilities can be prevented with small changes in mindset, culture, and processes.
9 Vulnerabilities Medical Practices Create Themselves
- Stick Their Head Underground –Because many doctors and practice managers don’t understand cybersecurity or the IT side of HIPAA, they ignore it. Unfortunately, hiding doesn’t protect your data, your money, and your reputation.
- Lack the Expertise –Many small medical practices really on their “IT guy” (a single, outsourced one-person IT firm) who can’t know everything about technology, cybersecurity, and HIPAA, so the practice is at the mercy of this person’s knowledge.
- Thinking Cybersecurity Costs Too Much –For most medical practices, cyber protection (and insurance) won’t run a million dollars or even hundreds of thousands of dollars. On the flipside, a single HIPAA violation can run a practice $50,000 and the damage to the doctor’s reputation can close your doors because 54% of patients are likely to change providers following a data breach. [Source: HIT].
- No Policies to Protect Your Data –Most medical practices run the same way they did a decade ago, or at least their employee handbook makes it appear that way because it hasn’t been updated since it was typed on a typewriter. An easy and FREE way to protect your data is to require all workstations and mobile devices to require a password to log into the device.
- Same P@$$word –Many medical practices use the same, easy-to-remember password for every device, every account, and every user for years. Using the same login credentials can get you into trouble because you can’t lock out an ex-employee and it makes it very easy for a hacker to gain access to every one of your logins following a breach from any one of your accounts.
- Free Wi-Fi –Having Wi-Fi access in your waiting room and exam rooms is a nice benefit to offer patients, but if you offer it, you not only provide everyone access to your network, you can also slow down your office’s productivity. Instead, get a redundant internet connection for your patients. (This is also a good safety net in case your primary internet goes out. You can switch your team to the secondary account and turn off the patient Wi-Fi and stay operational.)
- No Risk Assessments– HIPAA and Meaningful require periodic assessments. The first assessment provides a baseline for your security, gives suggestions on what to improve, and shows what you’ve already implemented.
- Thinking Data Loss Isn’t a Big Deal –Medical data goes for $355 per record on Dark Web, making medical practices a prime target. A small medical practice may only have 1,000 patient records from the past five years, but that adds up to a $355,000 opportunity for a criminal. Medical practices must protect hard drives like gold!
- Lack Concern for Cybersecurity –The biggest issue most medical practices have with cybersecurity is a lack of concern, thinking they are too small to be targeted for a hack or their information isn’t important. Keep in mind that hackers do not need to target your practice, they can use bots that crawl the internet looking for “open windows” into networks; if they stumble upon your medical practice, they could be in for a big payday.
Don’t get overwhelmed. A good IT firm can help you secure your network and advise you how to protect your data. Outside of IT, look for vendors (Business Associates) that understand HIPAA and don’t forget to get a BAA (Business Associate Agreement) signed with them. [It’s a red flag that a vendor isn’t versed in HIPAA regulations if they don’t ask you to sign a BAA.]