Cybersecurity and your medical practice Q&A

Cyber attacks on are the rise. Not only are they becoming more prevalent but more sophisticated too. We sat down with Healthbridge IT Operations Manager, Andre de Lange, to find out more about trends in cybersecurity and threats and how to safeguard your practice against attack.

Cyber threats are becoming more prevalent. What are some of the most significant changes in cyber threats we’re seeing today?

There has been a major change in the way cyber attacks are carried out from as recent as 2017 and early 2018. Previously viruses were attached to .exe files¹ that were passed between computers and laptops, but we’re seeing an ongoing shift away from this method. What this means is that traditional antivirus software that was designed to safeguard against these files are no longer as effective in identifying malware². For businesses that don’t have the means or infrastructure to put a firewall in place, they need to be extra vigilant in warding off cyber threats and attacks.

It is also critical to point out that 80% of cyber attacks come from within – a disgruntled ex-employee, for example, who has access to sensitive information or databases is almost always your biggest threat in terms of security. So you need to have a system in place that understands this and manages the risks accordingly.

Why does the healthcare industry, in particular, need to pay more attention to cybersecurity?

Healthcare is possibly one of the most information-intensive sectors. It is for this reason that it is a prime target for cybercriminals. Consider electronic health records, which contain enormous amounts of information, from patient’s names and addresses to their financial details and physical condition. For cybercriminals this is a lucrative business as this kind of data will fetch a high price on the black market.

In the recent attacks we’ve seen criminals use ransomware³ to hijack an organization’s customer database and demand a ransom with a threat of exposing the information should the organisation not comply. Healthcare information is of course, particularly sensitive and on par with financial information and therefore a target for criminals who know that the company they are attacking will likely pay the ransom to protect their clients and their reputation.

And of course, due to the POPI Act, healthcare providers are forced to put measures in place to protect patient information. Failing doing so could result in privacy breaches, lawsuits and huge penalties.

Many small to medium-sized practices don’t have a dedicated IT resource to ensure their security. What is the best way for them to manage cybersecurity?

Medical practices must ensure that they have a cyber-security framework incorporating advanced protection with detection, containment and remediation features. This is often a big ask for smaller practices and that is why we’re seeing more medical practices moving towards digital management 

solutions. This ensures that a large proportion of their data security is taken care of by their cloud-based software partner.

Another area that they should look into is staff policies. These should typically be reviewed on an annual basis ensuring that every employee has signed/acknowledge the policy’s content. Be sure to record who has access to patient data, how much access they have and why they need it. If it is not necessary for a staff member to have access, then rather remove it.

Why is it important for medical practices to use secure, cloud-based software?  

There are numerous benefits to using cloud-based software, but in terms of security, the most important one is outsourced IT maintenance.

When you subscribe to a cloud-based application, the solution partner usually agrees to manage all IT maintenance, including bug-repair, updates, patches, and security for that application. That can make a huge difference to a smaller practice with limited (or no) IT resources — it saves time and money, it also frees up your staff to focus on delivering care and improving the patient experience.

Outsourced IT maintenance also brings peace of mind when it comes to security. When practices are comparing medical software, I’d encourage them to look for partners that develop and deploy enterprise-grade, HIPAA compliant security through encryption and have a regular back-up schedule in place. Even meeting these basic criteria means you won’t have to worry about losing sensitive patient data in the event of a natural disaster or firewall breach.

Other benefits of using cloud-based software include:

Minimized up-front costs: While savings vary depending on the application, most cloud-based software is licensed on a subscription basis, which means instead of paying a huge amount upfront for a perpetual license, you pay a monthly fee for access. And because cloud applications are hosted remotely, there are no physical server requirements, which means implementation also goes faster and costs less.

Increased mobility and collaboration: Cloud applications are typically accessed by logging in through a web portal. This means doctors, nurses, specialists, allied health professionals, and in some cases, patients, can all access the information (with permission) from any location and device. Cloud software helps you maintain continuity of care by staying connected to patient and procedural data. It’s also especially important when it comes to communication – for example, to enable doctors and patients to exchange messages through a secure, HIPAA-compliant platform from any location.

Further to that point, real-time access to data is another benefit of cloud software. Server-based EMRs and other on-premise medical systems require a lot of manual syncing, uploading, and back-up to keep data up to date. A cloud-hosted system, on the other hand, ensures all of your data will stay synced in real-time across every device. Accurate data is critically important when making serious decisions that affect patient outcomes

Lastly, scalability is another huge benefit of cloud-based software.  If you expect your practice to grow in the future (expanded patient population, more staff, a larger payer network, etc.), it is important to choose a product that can expand with your needs and budget. Most SaaS products are priced based on the level of functionality and the number of users you require. Instead of spending huge amounts to lock yourself into a product that may or may not fit your requirements, now and in future, you can upgrade your SaaS package to adjust your level of access and features as necessary.

What are the fundamental questions practices should you be asking potential software partners?

After establishing that they provide cloud-based software, you should ask any potential partner whether they have the following in place: firewalls; encryption and username and password logins. You need to ask these questions to know how the system protects your practice and patient data.

Following on from that, you need to have a discussion with them about Intellectual Property (IP) to be certain about who ultimately owns the IP so that your data isn’t being sold or exposed to third parties. This must also be very clearly outlined in your service level agreement or contract.

Furthermore, it’s a good idea to question the company’s values to ensure that it’s a good fit with your practice values and business drivers.

We can’t deny that cybercrime is on the rise, and we’re hearing reports about personal data being compromised in some way or another almost on a weekly basis. Practices need to know the risks and choose the right solution partner that helps them mitigate that risk as well as enabling you to grow your practice.  This combination is essential to any modern medical practice.

If you are looking for cloud-based practice management software to safely secure your patients’ personal and financial details, then send an email to enquiries@healthbridge.co.za.

1. EXE is a file extension for an executable file format. An executable is a file that contains a program – that is, a particular kind of file that is capable of being executed or run as a program in the computer. An executable file can be run by a program in Microsoft DOS or Windows through a command or a double click.
2. Malware or malicious software, is any program or file that is harmful to a computer user. Malware includes computer viruses, worms, Trojan horses and spyware.
3. Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.