Today's Practice: Changing the Business of Medicine TP2018Q2DigitalEditionWeb | Page 106

T E CHNOL OGY
Healthcare Cyber Security
installing anti-virus is not an option. In fact, bad user
practices led to 41% of medical IoT security issues in
20176 where something as simple as hardening the
devices themselves by changing default username &
password could have averted issues. But the best way to
protect the medical IoT devices is to protect the
computer network that they reside on and separate them
from the rest of the facility’s network.
Employees: A Practice’s Greatest
Weakness or Defense?
Answer: Yes.
60% of healthcare breaches occurred due to employee
negligence yet only 38% of healthcare employees are
aware of their organization’s cybersecurity policies. And
only 30% of employees report having received any
cybersecurity awareness training. If practices do not take
the time to inform their employees how to protect
patient data and explain data protection policies, how
can the practice expect the employee to practice cyberse-
curity best practices? Taking an hour every quarter to
inform employees about the latest cybersecurity threats
they may face and how they can protect themselves, and
the practice’s patients can turn the practice’s greatest
weakness, the human factor, into one of its best defenses.
IT is Not Cybersecurity
While Information Technology (IT) professionals are
excellent resources, they are unfortunately typically not
cybersecurity experts. Thinking of it from a medical
perspective, you would not visit your cardiologist for a
root canal even though both are medical professionals.
The same applies to cybersecurity and the skills required
to know how to best provide protection. IT profession-
als are just that, professionals, but their daily duties
consist mainly of configuration and maintenance of the
practice’s computer networks (on premise or in the
cloud) whilst the job of cybersecurity professionals is the
ensure and verify the security of the practice’s networks.
Combining the two functions is like asking your
accountant to audit their own books, there is a conflict
of interest.
105
Troy Wilkinson
What Can Practices Do for
Protection?
The days of relying on free antivirus programs for
cybersecurity protection are over. The modern medical
practice needs to protect its computer networks, inter-
net-connected devices, and patient data through at
least a three-layered approach to cybersecurity.
Layer 1: Starting at the entrance to the internet, every
practice should have a firewall that is regularly updat-
ed, patched, and monitored by a cybersecurity profes-
sional. Hackers are constantly scanning the internet
looking for vulnerable networks and devices. Without
a firewall protecting the network, the practice could be
a virtual goldmine if a hacker is able to compromise
computers or IoT devices.
And the firewall needs to be updated on a regular,
frequent basis to ensure that any hardware vulnerabili-
ties are patched and that the latest threats are being
protected against. If a firewall is not regularly updated,
it essentially is obsolete the day it is installed.
Layer 2: Every computer, laptop, and if possible, tablet
should have next-generation antivirus installed that
again is regularly updated, patched, and monitored. As
part of HIPAA compliance, medical practices must be
able to show the protection status of its endpoints.
Centrally managed antivirus is the best route to ensure
that the antivirus on individual machines is not
disabled and provides a pain free way to provide
compliance reports.
Layer 3: Backup, backup, backup. Backups are like
kryptonite to ransomware when performed properly.
Emphasis on the “performed properly”. Too often,
practices have implemented backup solutions, seen
that it was doing something, but never attempted to
restore the backups until a true emergency has
occurred only to find that the backups were worthless
and recovery was impossible.
Additional Layers Optional: There are many other
optional layers to cybersecurity that a practice can
TODAY ’ S P R A C T I C E: C H A N G I N G T H E BUS I NES S OF M EDI C I NE