"An ounce of prevention is worth a pound of cure." Benjamin Franklin wrote those words when he was addressing the need for fire safety. He actually was instructing on how to safely carry live coals from room to room or up and down stairs without starting a fire.
We emphasize daily to our patients that "preventive" treatment can protect against more expensive treatment down the road. Yet, so often, I find practices not heeding these wise words when it comes to their own information system and security.
Cyberattacks are going to happen. Hackers are getting more sophisticated, and ransomware has become the most common type of cyberattack. While you cannot totally prevent an attack, you can take some preventive steps now to ensure a quick response and recovery to an attack.
The first step in prevention is to find a quality information technology (IT) partner that can implement the correct infrastructure and perimeter controls. I often see practices that have an IT person that they call upon when a printer will not print. However, preventing a cyberattack from causing a lot of damage requires 24/7 attention. A quality IT partner is going to constantly monitor your systems and receive alerts when there is an abnormality.
The Health Insurance Portability and Accountability Act (HIPAA) requires that every practice have a plan in place to respond to a data breach. Back up, back up, back up! Backups are an integral component of a response plan. So often, practices are only backing up the practice management database incrementally nightly. This prevents a quick response and recovery. The concept of a backup is to be able to resume operations quickly. You and your team often use other applications to make your office run efficiently. If you need to get back up and running, you will need those other applications and data.
Practices should be conducting a full system backup on a monthly basis. This will include all your data, applications, drivers, etc. and allows for a faster recovery.
The standard backup protocol is full system monthly, differential weekly, and then the incremental of the system nightly. The more backups the better!
External hard drive backups should not remain connected to the network but should only be connected during the actual backup process. Backups should be tested frequently to make sure data are being saved and can be restored, and multiple backups are key. There are other issues, such as hardware failure, when backups are critical.
In the event of a cyberattack, a practice must determine the nature of the attack and if any information was viewed or exfiltrated. Most ransomware attacks are simply extortions, and no data are exfiltrated. Under HIPAA, a practice must launch an investigation to determine if any protected health information (PHI) was viewed or exfiltrated. Most IT companies are not able to conduct the required forensic investigation. However, most malpractice insurance companies will assist with this investigation by using their approved forensics teams and offsetting the costs involved. The only way to avoid having to conduct a forensic investigation is to encrypt the hard drives on the server and the workstations.
It is critical that a practice conduct the forensic investigation to document that their data were not viewed or exfiltrated. One medical practice failed to conduct such an investigation and was fined $500,000 when its data were found by the FBI on the dark web. Conducting a forensic investigation is key to preventing such a fine.
In the event of a breach or cyberattack, a practice should preserve all the evidence it can, disconnect the network from the internet, and contact the malpractice or liability carrier to determine what assistance it can provide.
Once the forensics team has collected the information they require, it's time to restore. Consider restoring to a workstation and using that as a temporary server or replacing the hard drives in the server.
An ounce of prevention -- taking some preventive steps now -- will prevent the financial impact and loss of production that a cyberattack will cause.
Debi Carr is the CEO of DK Carr & Associates, a technology, compliance, and security consulting firm. She is a consultant and speaker and has more than 30 years of experience in technology and security.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.