VOLUME 2, ISSUE 2: Keep Your Practice's Data Secure

Cybersecurity

Cybersecurity for the Ophthalmic Practice

Cybercriminals are highly incentivized to target medical practices.

Crawford Ifland

At A Glance
  • Patient records can be 10 to 20 times more valuable than credit card information.
  • Basic in-office necessities for cybersecurity include antivirus software, separate Wi-Fi networks for staff and for patients, and a virtual private network.
  • Helping employees and vendors understand why certain cybersecurity tools are in use is the best way to ensure compliance and foster a security-minded culture.

Cybersecurity seems to be in the news on a weekly basis, from breaches, to identity theft, to massive settlements from companies who have misused or mishandled customer data. Cybersecurity is a hot topic today for good reason: between January 1, 2005, and April 18, 2018, there were 8,854 recorded breaches.1

Anyone who handles sensitive data is living in an increasingly dangerous world. This is all the more true for medical practitioners, for whom extensive compliance, regulation, and penalties for mishandling sensitive patient information have never been greater. According to Reuters, patient records can be 10 to 20 times more valuable than credit card information, so there is an obvious incentive for cybercriminals to target medical practices.2 After all, credit card numbers can be changed overnight, but addresses, employers, insurance documents, and diseases cannot.

What practical steps can retina specialists take to secure their practices in the age of daily attacks and extensive regulatory compliance? This article explores how to increase cybersecurity and mitigate risks associated with running a modern ophthalmic practice.

IN YOUR OFFICE

Antivirus Software

The no-brainer: antivirus software can recognize threats, malicious files, and the like. Whenever multiple computers are connected to the internet (and to each other) in a business environment, antivirus software is a must. Many ophthalmic practices run on Windows PCs, which means they are particularly vulnerable. There are hundreds of thousands of known viruses for Windows, with more surfacing every day. For practices running on Macintosh computers, good antivirus software is still important.

Separate Wi-Fi Networks

Another recommended measure is creating separate Wi-Fi networks for staff and for patients and their families or caretakers. This is a must when dealing with sensitive health information. Separating your Wi-Fi networks (or not offering in-office Wi-Fi to patients and their families or caretakers at all) is especially important if any of your diagnostic tools connect to the internet. It is estimated that one out of four medical devices is connected to a network, so this is a huge potential liability.

Figure 1. A virtual private network, or VPN, prevents other users from being able to “sniff” your network traffic.

Virtual Private Network

Beyond having separate public and private Wi-Fi networks, it is also recommended that each computer in your physical office obtain and use a virtual private network (VPN) to further secure network communications (Figure 1). Have you ever used the public Wi-Fi in your local Starbucks to send an email or to access your online banking? Unless you were using a VPN to encrypt your data, anyone else on that Wi-Fi network could theoretically see the information your device was sending and receiving. Say goodbye to that online banking password.

A VPN stops other users from being able to “sniff” your network traffic. Think of it as a tunnel: data are passing through, but they are obscured to anyone trying to look in from the outside. Even if someone were to crack the Wi-Fi password for your main network, he or she wouldn’t be able to see any information coming through that network. VPNs encrypt all data, making them useless and unreadable to anyone sniffing traffic on your network.

Password Managers

So you’ve separated your public Wi-Fi and the private network that your office staff uses for billing, electronic health records, and diagnostic devices. But what if your office is broken into or physically compromised? One of the most practical security measures the average person can take is to strengthen passwords. Password management software is an incredibly easy way to store all of the passwords you use and reset your current passwords to random, virtually uncrackable alphanumeric strings. A shared team account is an easy way for office staff to share passwords for your practice’s most frequently used online services, including your website, social media accounts, and billing applications. You can delegate access to everyone in your organization or create separate “vaults” for different teams, giving access only to those who truly need it.

ON THE WEB

Secure Sockets Layer

If you are serious about securing your practice from data breaches, you also need to consider the security of your website. Although implementation of website security measures can easily escalate to complex solutions, the easiest way to cover your bases is to install a Secure Sockets Layer (SSL) certificate on your website.

SSL certificates encrypt all data sent to and from your website. So, even if someone were able to intercept any data sent to or from your website (eg, appointment requests with sensitive patient information), the data would be unreadable. Most SSL certificates cost less than $100 per year, so, if you collect any sort of personal or health-related information on your website, this step is easy to implement.

Content Distribution Network

When handling sensitive patient information, security is the primary goal. But what about business goals? What if your website is attacked or goes down unexpectedly? What could the downtime cost your practice in terms of lost efficiency, time, and revenue?

Using a content distribution network such as Cloudflare (cloudflare.com) can help mitigate this risk. Cloudflare has servers and data centers around the world that can increase uptime for your website and help handle the load, should your website receive lots of traffic or fall prey to a distributed denial-of-service attack. Cloudflare’s servers can also help serve your content to users faster and make your website safer and more secure, minimizing the potential for loss due to downtime or attacks.

Two-Factor Authentication

Two-factor authentication is a verification process by which online services require not only a password but also something that you have physical access to, such as your cell phone. Have you ever tried to log into Facebook and been prompted for a six-digit passcode that was texted to your cell phone? That’s two-factor authentication at work, and it’s much more secure than a traditional password alone.

IN YOUR COMMUNICATIONS

Encrypted Email

How can you ensure your email communications are secure? There are plenty of HIPAA rules about what a medical practice may and may not communicate via email, but, if you’re concerned about emails getting intercepted, I recommend using secure, encrypted email services such as Pretty Good Privacy (PGP).

Figure 2. Secure encrypted email server Pretty Good Privacy relies on public-key cryptography to encrypt and secure emails.

PGP relies on a technology called public-key cryptography to encrypt and secure emails. Think of it as a mailbox with two keys (Figure 2). One key is used to deposit mail in the mailbox. This is known as your public key, and you can give it out to anyone. Tweet it to the whole world, if you want, or post it on a billboard. It doesn’t matter. Anyone in possession of your public key will be able to send encrypted email to you that only you can read. The other key is known as your private key. You—and only you—should have access to this private key, or else anyone will be able to read your emails.

Secure File Upload Sites

If patients or business associates need to send sensitive documents to you but don’t want to rely on PGP, consider using secure file upload sites such as ShareFile (sharefile.com). These file sharing applications use bank-level encryption and security, so they are incredibly secure ways to share sensitive documents you wouldn’t want to fall into the wrong hands.

SECURITY CULTURE

It is worth mentioning that the most sophisticated tools in the world won’t help if you don’t use them. Your chance of getting struck by lightning is one in 960,000. According to the Ponemon Institute, the chances of your business’ experiencing a data breach are as high as one in four. What’s worse, the average cost of a data breach exceeds $3.5 million.3

The first step in implementing a security practice is to create and foster a security-minded culture. It comes down to your people, your vendors, and the way you conduct business. Although I strongly recommend implementing some or all of the security tactics mentioned in this article, you must walk through the proper use of these tools with your staff. Helping employees and vendors understand why these tools are in use is the best way to ensure compliance and foster a security-minded culture.

Although the suggestions outlined in this article are certainly not an exhaustive list, their careful and successful implementation will place you well on your way to having a more secure ophthalmic practice and extra peace of mind.

Disclaimer: Messenger does not claim to be an expert on HIPAA compliance and cannot be held responsible for misuse of this information. Always consult a cybersecurity expert when installing or implementing cybersecurity measures.

1. Sobers R. 60 must-know cybersecurity statistics for 2019. Updated April 17, 2019. varonis.com/blog/cybersecurity-statistics. Accessed May 1, 2019.

2. Humer C, Finkle J. Your medical record is worth more to hackers than your credit card. Reuters. September 24, 2014. reuters.com/article/us-cybersecurity-hospitals/your-medical-record-is-worth-more-to-hackers-than-your-credit-card-idUSKCN0HJ21I20140924. Accessed July 1, 2018.

3. Ponemon L. Know the odds: the cost of a data breach in 2017. June 20, 2017. securityintelligence.com/know-the-odds-the-cost-of-adata-breach-in-2017. Accessed June 30, 2018.