The Journal of the Arkansas Medical Society, Vol 115, No. 9 Med Journal March 2019 Final 2 | Page 6

by CASEY L. PENN
Too Scared to Look
Are You Maintaining
Medical Cybersecurity?
W
illiam “Trey” Whatley, a
Federal Bureau of Inves-
tigation special agent and
Cyber Action Team member, warned
AMS members at last year’s annual
session about the importance of cy-
bersecurity. “I want you to understand how
hostile the environment is for medical informa-
tion,” he said. “A credit card can be replaced
… but a person’s health information is simply
private or public. You can’t just change your
medical history – your diagnosis, your prescrip-
tions, your blood type, DNA, anything like that is
intimately associated with you. When that loss
happens, it’s a serious matter.”
Despite the serious warning, many seem to
have a general disregard for learning more about
cybersecurity.
Is it too technical, are we too busy, or are
we just fearful to the point of inaction? Loretta
Duncan, MS, FACMPE, CHC, is a senior medical
practice consultant for SVMIC (State Volunteer
Mutual Insurance Company), the AMS-endorsed
carrier for medical professional (malpractice)
insurance. She helps explain what could make
some of us disregard a topic like cybersecurity.
“I think the idea of cybersecurity is so over-
whelming and frightening that it seems easier to
ignore than to actually deal with,” said Duncan.
“Unfortunately, ignorance can lead to a lack of
protection that can jeopardize patient care, prac-
tice reputation, and financial stability.”
Avoidance may indeed be a dangerous
mentality, according to information shared by
The Office of the National Coordinator for Health
Information Technology. Its Guide to Privacy and
Security of Electronic Health Information (2015)
states, “Health care providers may believe that if
they are small and low profile, they will escape
the attention of ‘hackers’ … Yet every day there
are new attacks aimed specifically at small to
mid-size organizations because they are less
likely to be fully protecting themselves. It is im-
portant to have strong cybersecurity practices
in place to protect patient information, organi-
zational assets, your practice operations, and
your personnel, and of course to comply with
the HIPAA Security Rule. Cybersecurity is needed
whether you have your EHR locally installed in
your office or access it over the Internet from a
cloud service provider.”
Cybercrime is a common occurrence that is
only growing in the health care sector. According
to 2015 data from the Identity Threat Resource
Center, the medical sector ranked “second in the
number of breaches reported (35.4% of 780 to-
tal breaches) and first in the number of affected
records (over 121 million records).”
The Department of Health & Human Ser-
vices, in its National Cybersecurity Awareness
Month Newsletter (October 2018) shares that
electronic protected health information, or ePHI,
is a hot commodity on the black market – more
so than other personal data “because it can be
used to steal identities and commit health care
fraud.”
As frightening as this subject can be, there
are things you can do to help protect your clinic
and patient information from today’s prevalent
cyber threats.
198 • THE JOURNAL OF THE ARKANSAS MEDICAL SOCIETY
A List of Prevalent Threats
Identify Threat Resource Center data named
hacking, or phishing, as the number one strategy
of attack by cybercriminals. (The number two risk
to cybersecurity? Employee error or negligence!)
From the DHS newsletter, “Phishing remains
one of the most common and effective social en-
gineering tactics for stealing user credentials and
other sensitive information. Malicious actors send
deceptive emails to users, enticing them to dis-
close login credentials or click links that may in-
stall malware (malicious software). The effective-
ness of phishing attacks can be greatly reduced
with proper training to keep information system
users aware of the threats of phishing attacks
and business associates to implement security
awareness and training programs for all work-
force members including management.”
Susan Decareaux, CPCU, RPLU, CISR, is the
assistant vice president of Underwriting, Pricing
& Risk Analysis at SVMIC. On phishing, she wrote,
“Employee education is important. Cybercrimi-
nals are getting smarter and are able to disguise
their phishing emails to appear to come from one
of your vendors or another trusted source. Cau-
tion should be used before opening any attach-
ment, and verification of the email source should
be done for all incoming emails, especially those
with an attachment.”
The cost to respond to a data breach, accord-
ing to SVMIC data, is “$10-30 per patient record,”
a number that includes notification expenses,
legal fees, and credit monitoring services. “Ad-
ditional costs such as IT forensics and potential
fines or penalties could lead even a small breach
to cost well over $100,000.”
VOLUME 115