“Sometimes the small practice physicians think they won’t be targeted because they have less information, but what we’re learning is that everyone is vulnerable because health data is very valuable,” said Deven McGraw, deputy director for Health Information Privacy for the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS).
“When you have deficiencies in all these areas, you’re set up for failure,” said Will Long, CISSP, CPHIMS, vice president and chief information security officer for information systems at Children’s Health, a pediatric healthcare system in North Texas that includes Children’s Medical Center Dallas and Children’s Medical Center Plano.
“We always urge practices to get all that right first and then move into other advanced things,” Long said.
Long listed several specific steps all physician offices should be doing to combat malware:
1. “First, use up-to-date hardware and software.” “Stay mostly current, as close as you can,” he said. “You don’t have to run the newest systems, but [don’t run] the oldest system out there, either.”
2. “Be sure to update practice systems with patches as vendors release them, as many of those patches address vulnerabilities that hackers seek to exploit.”
3. “Invest in adequate endpoint and network protection software as well as training for employees, who in many cases still represent the biggest security threat because of the possibility they’ll open or click on malicious email files.”
“Usually getting all those basics correct is enough for the practice,” Long added.