The Journal of the Arkansas Medical Society Med Journal March 2019 Final 2 | Page 7

Other risks, some more preventable than oth-
ers, fall under what Whatley earlier dubbed a “lack
of preparedness.” These may be eliminated easier
than some other threats, with help from qualified
personnel. They include open or unsecured Wi-Fi,
vulnerable network connections, unvetted employ-
ees, and unguarded devices. “In your clinics, tech-
nology is all around,” Whatley shared. “If there’s a
laptop in a room that is accessible by patients or
other people – can it be physically removed? Is it
encrypted? Is the data encrypted in place?”
As physicians or clinic managers, you should
routinely discuss cybersecurity with a proven and
trusted IT provider who can make sure you’re
aware of where your data is and how it’s being
protected. (For helpful tips related to choosing
your IT provider, see our sidebar on page 200.)
In addition, you and your IT department may need
to take steps to secure your network and remote
configurations through encryption. Encryption
is defined (DHS newsletter) as “the conversion of
electronic date into an unreadable or coded form
that is unreadable without a decryption key.”
In addition, are you utilizing anti-malware,
proper setup of audit logs, and regular genera-
tion of secure, tested, hack-free backups? Are
you monitoring regularly to catch breaches sooner
rather than later? Further defenses to investigate
may include whitelisting, proper patch manage-
ment (updates), a reduced attack surface (limiting
what plugs into your network), segmenting, and
authentication management (frequently changed,
complex passwords).
Another growing threat is ransomware, de-
fined by The Ransomware and HIPAA Fact Sheet
(DHS) as “a type of malware (malicious software)
distinct from other malware; its defining character-
istic is that it attempts to deny access to a user’s
data, usually by encrypting the data with a key
known only to the hacker who deployed the mal-
ware, until a ransom is paid. After the user’s data
is encrypted, the ransomware directs the user to
pay the ransom to the hacker (usually in a cryp-
tocurrency, such as Bitcoin) in order to receive a
decryption key. However, hackers may deploy ran-
somware that also destroys or exfiltrates data, or
ransomware in conjunction with other malware
that does so.”
Coverage If and When
A professional and proven IT services is obvi-
ously important. However, when you’re attacked by
cyber monsters, another tool that may assist you
is proper insurance coverage. Through your medi-
cal malpractice liability coverage, you may already
have some coverage against security attacks;
however, a devoted policy to this effect may offset
the cost of recovery.
“Although not all attacks can be prevented, a
partnership with a cybersecurity insurance com-
pany can facilitate your response and mitigate the
damages,” wrote Decareaux (SVMIC.com). “Where
SVMIC’s professional liability policies already in-
clude supplemental cybersecurity coverage in the
amount of $50,000, SVMIC partners with NAS In-
surance Services to offer access to further cover-
age at discounted premiums.”
As to the worth of the added coverage, Dec-
areaux described a group of six primary care phy-
sicians in middle Tennessee who decided to pur-
chase it. “The practice administrator realized that
the potential risk of a cyber-attack or information
technology system failure and the ensuing costs
to recover data, possible lawsuits, and regulatory
fines and penalties could add up to more than the
basic limits provided by SVMIC,” she wrote. “The
group had experienced minor losses … some in-
volving errors by their own staff, and one protected
health information violation was caused by an out-
side vendor.
“These experiences convinced the administra-
tor how vulnerable the group was to potential loss
… with the estimated cost of a cybersecurity loss
at a minimum of $30 per record, and possibly more
due to the potential for regulatory fines and penal-
ties, it was relatively easy to see that the potential
for loss is great, and by contrast, the premium is
relatively affordable.”
According to Decareaux, the Tennessee prac-
tice also implemented mandatory staff training on
PHI and HIPAA and put in place an extensive in-
ternal and external IT security system that meets
or exceeds Federal Meaningful Use PHI and IT
standards.
Security standards such as these can be a
challenge to keep up with. Duncan, who specializes
in HIPAA privacy, security, and breach notification
compliance, reminds physicians that, in addition to
malpractice coverage, SVMIC offers education and
regulatory help on the subject right here in Arkan-
sas. “Being the victim of a cybersecurity incident
can trigger many negative outcomes for a medi-
cal practice, with the worst being access to patient
information and the ability to provide patient care,”
she said. “It is imperative that practices take the
steps necessary to protect their patient data and
have policies and procedures in place to act if an
incident occurs. Compliance with the HIPAA Secu-
rity Rule is a major step in this process.”
Are you doing all you can to protect patient
data? Are you meeting HIPAA requirements? Are
you listening to the warning Whatley offered mem-
bers last year? “The more that can be put into
securing information, the better,” he advised. For
more information and professional assistance from
experts in the fields of HIPAA and cybersecurity, call
SVMIC at 870.540.9161. You can also always call
AMS for more information.
Author’s Note: The Journal reached out
to the FBI for further tips to share. Due to the
government shutdown that was in effect during
the writing of this article, the Bureau was not
able to share additional information.
ADDITIONAL
RESOURCES
SVMIC
SVMIC.com shares important bulletins
and related articles as well as links to impor-
tant tools like the Security Risk Assessment
Tool (SRA Tool).
HealthIT.gov
Through its website, the Office of the
National Coordinator for Health Informa-
tion Technology offers numerous related
resources. For example, ONC offers “Top
10 Tips for Cybersecurity in Health Care” at
http://www.healthit.gov/providers-profes-
sionals/cybersecurity-shared-responsibility.
Search its Health IT Playbook (https://
www.healthit.gov/playbook) for more tools
and topics of interest.
The Identify Threat
Resource Center
A U.S. nonprofit support organization,
the Identify Threat Resource Center exists to
broaden public education about cybersecurity
and to help in understanding and resolving
cases of identity theft, data breach, cyber se-
curity, scams/fraud, and privacy issues.
https://www.idtheftcenter.org
NUMBER 9
MARCH 2019 • 199