Doctors and dentists who own their own practices face unique cyber security risks, now more than ever. You’re not only wrestling with significant amounts of sensitive patient data stored on digital platforms. You’re also relying on your practice management software and electronic billing systems — which increases your exposure to cyber threats. This makes it easy for hackers to access your practice’s information without proper protections in place.
Cyber security risks are changing constantly — both in types of risk and in the severity of outcomes. When thinking about cyber security, a shift in perspective may be helpful to illustrate how essential healthy digital strategies are to the safety of your practice.
Consider how often you check in on your financial health. You and your accountant are assessing accounts receivables, payroll, and expenses, certainly on a weekly if not daily basis. If an issue crops up, you can see it in almost real time and act quickly to mitigate the impact or course correct.
Now, consider what it would look like to apply the same type of rigour and visibility to your cyber security. The fundamental operations of your practice are almost completely digital. Without a well-functioning computer system, you’d likely completely shut down. So why don’t most business owners spend as much time or energy on cyber security as they should?
It can be difficult to constantly assess your practice’s cyber security needs when you’re busy running the business. However, getting external help can ease that burden and prevent small threats from becoming catastrophic events.
Key cyber security risks to watch for
Preventing a significant cyber security attack means being aware of and prepared for what kinds of risks exist.
Here are a few key risks specific to healthcare professionals who run their own practices:
- Data breaches
- Ransomware attacks
- Insider threats
- Social engineering
- Inadequate infrastructure and security practices
- Medical device vulnerabilities:
Medical practices store large amounts of sensitive patient and staff information, including personal and financial data. Cybercriminals may attempt to breach the practice's systems to steal this data, which can be used for identity theft, financial fraud, or other malicious activities. Patient data breaches can lead to significant legal and financial consequences for the practice.
Ransomware is a type of malware that encrypts a victim's files or locks them out of their systems, demanding a ransom payment in exchange for restoring access. Medical practices are attractive targets for ransomware attacks because they often rely heavily on electronic health records (EHRs) and may be more willing to pay to regain access to critical patient data.
Employees within the practice, including disgruntled staff members or those who may accidentally mishandle sensitive data, can pose a significant cyber security risk. Unauthorized access, data theft, or accidental data breaches can all result from insider threats. It is crucial for medical practices to implement appropriate access controls and monitoring systems to mitigate these risks.
Phishing is a common cyberattack method that uses social engineering. In these cases, attackers send deceptive emails or messages to trick recipients into revealing sensitive information or clicking on malicious links. Doctors and dentists are often targeted through phishing emails disguised as urgent patient requests or official communications from healthcare organizations. Recent large data breaches and AI toolsets allow threat actors to develop targeted social engineering campaigns. Falling victim to phishing attacks or other fraudulent emails can compromise sensitive practice data or lead to further network intrusions.
Small medical practices may lack the resources or expertise to implement robust cyber security measures. Outdated software, weak passwords, unpatched systems, and lack of employee training can all contribute to vulnerabilities that can be exploited by cybercriminals.
There is a growing concern about the security vulnerabilities of connected medical devices and internet of things (IoT) devices, such as remote monitoring devices or implantable medical devices, as integration increases. Compromised medical devices can lead to patient safety risks, data breaches, or unauthorized access to the practice's network.
Mitigating your practice’s risk
There are a few ways you can prepare yourself for cyber security threats, both ahead of an attack and in the immediate aftermath of one. It’s likely you’ll experience, or have experienced, a cyber security attack and knowing how to best approach the situation to mitigate risk is invaluable.
Here are a few ways to mitigate that risk:
Beware of complacency
Organizations, like people, are prone to follow the path of least resistance. Practice owners will often invest heavily in fortifying their cyber defenses only to set the issue aside after they’ve received a clean bill of health and won’t revisit the issue until they’ve experienced an attack or a near miss. Consider a cyber security and privacy assessment at least annually to help illustrate if there’s any need for extra protections or changes to your policies.
Employee training
It is vital to invest in ongoing training of cyber security best practices for all employees. This includes how to recognize and avoid phishing attempts, set strong passwords, and awareness of your practice’s response plan in the event of an attack.
This helps ensure everyone is on the same page and understands the importance of working together towards cyber safety. The overwhelming majority of attacks boil down to human error so setting clear guidelines for everyone from the receptionist to the owner keeps the policies and their importance a top-of-mind consideration.
Regular updates and patches
It may sound simple but keeping your software systems up to date and patched as needed — including operating systems and medical device software — addresses existing vulnerabilities and can prevent future vulnerabilities. It’s also key to back up your critical data regularly and test the restoration process to ensure business continuity in case of a cyberattack or data loss incident.
Professionals
Plan for the worst-case scenario
While there are no guarantees, technology, strong policies, and training can significantly reduce the likelihood of a breach. But human error, software vulnerability, or a persistent hacker can all reveal cracks in even the very best cyber defenses.
An effective cyber incident response plan will provide clear instructions about how to report a breach and when to call a third-party advisor. It will also include when to call legal counsel, how to document and report details, and how to communicate with employees and affected parties. It is up to practice owners to set the tone for how to mitigate and manage cyber risks and be willing to accept that the worst-case scenario is a possibility that must be planned for.
Back up essential information
The Government of Canada has published baseline cyber security controls for small and medium organizations to help you understand how to improve the cyber resiliency of your practice.
Get the help you need when you need it
It can seem like a daunting task to prepare for something you have no way of knowing how or when it might happen.
Think about your practice’s cyber security needs the same way you think about recommending regular check ups to patients. It’s part of an overall approach to prevention that ensures measures can be taken as early as possible if needed to prevent negative outcomes. It doesn’t mean that your patients won’t get sick, but it can prevent them from getting sicker. As their healthcare provider, you know their history and can use that information to provide better care.
The same is true of a dedicated third party who comes in to help you plan for and respond in the event of a cyberattack. MNP’s dedicated team of advisors can help you find what your digital needs are, how to understand your current operation, and recommend any adjustments or improvements. Having a third party who knows your business and its history is vital to alerting you when something needs attention and MNP’s team is available 24/7 to assist in whatever way they can.
Your advisor will support you with ongoing monitoring and management to provide the visibility that will prevent cyber threats from reaching catastrophic levels and inform you of the health of your digital business on a regular basis.
Is your organization cyber safe?
From ransomware to increasingly persuasive phishing schemes, cyber crime is a global issue, and it’s on the rise. With the average cost of a data breach coming in at over $5.4 million for Canadian businesses, you need the peace of mind that your digital assets, finances, and reputation are secure.
Do you understand your cyber security risks?
To learn more about your cyber security needs and to better prepare yourself for a future attack, contact Eugene Ng, Partner, Cyber Security.