Issue link: https://viewer.e-digitaledition.com/i/1149455
PHISHING AROUND BY MOLLY NECK SENIOR ASSOCIATE ATTORNEY ROSENBLATT LAW FIRM ALTHOUGH MALWARE AND cybersecu- rity raise concerns across a ll industries, medica l practices — a treasure trove of patient hea lth records, Socia l Security numbers a nd insura nce information — a re of ten the perfect ta rget for hackers a nd phishing schemes. Experia n esti- mates that a Socia l Securit y number ca n be sold for $1, but medica l records ca n be sold for between $1 a nd $1,000. The A merica n Medica l A ssociation repor ts that in 2017, 83% of a ll physi- cians' practices have experienced some t y pe of cyberattack. Hackers utilize a variety of attack methods. For example, ra nsomwa re ca n shut down practices for hours or days, ma king a patient 's m e d i c a l h i s t o r y i n a c c e s s i b l e a n d placi ng patient ca re at r isk t h roug h t hef t of elect ron ic protected hea lt h information (ePHI). The vast majorit y of physicians believe the ability to share ePHI is ex tremely impor ta nt when it comes to patient ca re, however, ma ny physicia ns a re not per for ming ba sic st eps t o i mprove t hei r secu r it y a nd protect ePHI. HIPA A requires a ll covered entities to "conduct a n accurate a nd thorough a ssessment of the potentia l risks a nd v ulnerabilities to the conf identia lit y, i nt e g r it y a n d a v a i l a bi l it y of e P H I held by the covered entit y or business associate." The A MA suggests five basic steps to beg in your assessment: 1 Ident i f y t he s c op e . Ident i f y potential vulnerabilities within your internal IT systems, including not only your data at rest (such as databases) but also data in transit moving through your network. Question how data flows through the system, each point of informa- tion entry and exit and who needs access to the information. 2 Assess the risk. Understand the hardware you have connected to the internet and how it is protected. Inventory all software, programs and security systems, and know how long it will take to recover data in the case of a data breach. 3 Evaluate the risk. Not every risk is the same, and if you have limited funds to invest in cyber security, focus on addressing those posing the most potential harm. 4 Create a plan to address the r isk . The ea siest cyberat tack on any organization is through unsuspecting employees. Educating and training staff about cybersecurity is the least expensive and most effective defense for any medical practice. Establish cyber- security policies and enforce them. 5 Periodically review and update. Annual evaluation of your cyber- secu r it y r isk is cr it ica l . Wit h tremendous advancements in technology, new risks appear daily — but so do new security measures to combat those risks. Stay up to date. Failure to make a reasonable effort to safeguard ePHI is not only a great way to lose patients, but an unfortunate means to find yourself facing vast fines for violating HIPA A. Federal fines for noncompliance with HIPA A are based on the level of perceived negligence at the time of the HIPA A violation, and can range from $100 to $50,000 per incident — another reason to ensure your medical practice has effective cybersecurity systems in place. While no system is ever perfect, ePHI is more secure and chances are significantly reduced that an employee will unwit- tingly release protected information when required policies, procedures and frameworks are followed. Implementing protocols a nd procedures may seem daunting and time consuming, but it is fundamental to minimizing risk. Molly Neck joined the Rosenblatt Law Firm in 2014. She is a Senior Associate for the Transactional Section of the firm. For more information, visit rosenblattlawfirm.com or call Rosenblatt Law Firm at 210-562-2900. n Data Breaches Actually Are Your Problem M D N E W S . C O M /// M D N E W S S A N A N T O N i O ■ 2 019 L E G A L ❰❰❰❰❰ 0 5