The Journal of the Arkansas Medical Society, Vol 115, No. 9 Med Journal March 2019 Final 2

Other risks, some more preventable than oth- ers, fall under what Whatley earlier dubbed a “lack of preparedness.” These may be eliminated easier than some other threats, with help from qualified personnel. They include open or unsecured Wi-Fi, vulnerable network connections, unvetted employ- ees, and unguarded devices. “In your clinics, tech- nology is all around,” Whatley shared. “If there’s a laptop in a room that is accessible by patients or other people – can it be physically removed? Is it encrypted? Is the data encrypted in place?” As physicians or clinic managers, you should routinely discuss cybersecurity with a proven and trusted IT provider who can make sure you’re aware of where your data is and how it’s being protected. (For helpful tips related to choosing your IT provider, see our sidebar on page 200.) In addition, you and your IT department may need to take steps to secure your network and remote configurations through encryption. Encryption is defined (DHS newsletter) as “the conversion of electronic date into an unreadable or coded form that is unreadable without a decryption key.” In addition, are you utilizing anti-malware, proper setup of audit logs, and regular genera- tion of secure, tested, hack-free backups? Are you monitoring regularly to catch breaches sooner rather than later? Further defenses to investigate may include whitelisting, proper patch manage- ment (updates), a reduced attack surface (limiting what plugs into your network), segmenting, and authentication management (frequently changed, complex passwords). Another growing threat is ransomware, de- fined by The Ransomware and HIPAA Fact Sheet (DHS) as “a type of malware (malicious software) distinct from other malware; its defining character- istic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the mal- ware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryp- tocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ran- somware that also destroys or exfiltrates data, or ransomware in conjunction with other malware that does so.” Coverage If and When A professional and proven IT services is obvi- ously important. However, when you’re attacked by cyber monsters, another tool that may assist you is proper insurance coverage. Through your medi- cal malpractice liability coverage, you may already have some coverage against security attacks; however, a devoted policy to this effect may offset the cost of recovery. “Although not all attacks can be prevented, a partnership with a cybersecurity insurance com- pany can facilitate your response and mitigate the damages,” wrote Decareaux (SVMIC.com). “Where SVMIC’s professional liability policies already in- clude supplemental cybersecurity coverage in the amount of $50,000, SVMIC partners with NAS In- surance Services to offer access to further cover- age at discounted premiums.” As to the worth of the added coverage, Dec- areaux described a group of six primary care phy- sicians in middle Tennessee who decided to pur- chase it. “The practice administrator realized that the potential risk of a cyber-attack or information technology system failure and the ensuing costs to recover data, possible lawsuits, and regulatory fines and penalties could add up to more than the basic limits provided by SVMIC,” she wrote. “The group had experienced minor losses … some in- volving errors by their own staff, and one protected health information violation was caused by an out- side vendor. “These experiences convinced the administra- tor how vulnerable the group was to potential loss … with the estimated cost of a cybersecurity loss at a minimum of $30 per record, and possibly more due to the potential for regulatory fines and penal- ties, it was relatively easy to see that the potential for loss is great, and by contrast, the premium is relatively affordable.” According to Decareaux, the Tennessee prac- tice also implemented mandatory staff training on PHI and HIPAA and put in place an extensive in- ternal and external IT security system that meets or exceeds Federal Meaningful Use PHI and IT standards. Security standards such as these can be a challenge to keep up with. Duncan, who specializes in HIPAA privacy, security, and breach notification compliance, reminds physicians that, in addition to malpractice coverage, SVMIC offers education and regulatory help on the subject right here in Arkan- sas. “Being the victim of a cybersecurity incident can trigger many negative outcomes for a medi- cal practice, with the worst being access to patient information and the ability to provide patient care,” she said. “It is imperative that practices take the steps necessary to protect their patient data and have policies and procedures in place to act if an incident occurs. Compliance with the HIPAA Secu- rity Rule is a major step in this process.” Are you doing all you can to protect patient data? Are you meeting HIPAA requirements? Are you listening to the warning Whatley offered mem- bers last year? “The more that can be put into securing information, the better,” he advised. For more information and professional assistance from experts in the fields of HIPAA and cybersecurity, call SVMIC at 870.540.9161. You can also always call AMS for more information. Author’s Note: The Journal reached out to the FBI for further tips to share. Due to the government shutdown that was in effect during the writing of this article, the Bureau was not able to share additional information. ADDITIONAL RESOURCES SVMIC SVMIC.com shares important bulletins and related articles as well as links to impor- tant tools like the Security Risk Assessment Tool (SRA Tool). HealthIT.gov Through its website, the Office of the National Coordinator for Health Informa- tion Technology offers numerous related resources. For example, ONC offers “Top 10 Tips for Cybersecurity in Health Care” at http://www.healthit.gov/providers-profes- sionals/cybersecurity-shared-responsibility. Search its Health IT Playbook (https:// www.healthit.gov/playbook) for more tools and topics of interest. The Identify Threat Resource Center A U.S. nonprofit support organization, the Identify Threat Resource Center exists to broaden public education about cybersecurity and to help in understanding and resolving cases of identity theft, data breach, cyber se- curity, scams/fraud, and privacy issues. https://www.idtheftcenter.org NUMBER 9 MARCH 2019 • 199

The Journal of the Arkansas Medical Society, Vol 115, No. 9 Med Journal March 2019 Final 2 | Page 7