Smaller hospitals and clinics must avoid the common mistake of thinking they won't fall victim to cyberattacks, warns risk management expert Tom Andre, vice president of information services at the Cooperative of American Physicians, which offers malpractice and cyber insurance.
"You might look at yourself as a smaller organization and say, 'North Korea is not going to go after me. Government-sponsored entities aren't going to hack me like they tried to get into Sony. The fact is that there are social engineering attacks like ransomware that are targeted at everyone and anyone; it's a scattergun attack," Andre says in an interview with Information Security Media Group.
The ransomware attack last month on Hollywood Presbyterian Medical Center, in which the California-based hospital paid $17,000 to extortionists to unlock data, is an example of evolving cyber risks, he says.
Healthcare entities of all sizes need to be prepared to defend against evolving threats using multiple measures, he stresses. But, unfortunately, many smaller organizations "assume one line of defense, like antivirus [software], is sufficient. No defense is 100 percent [effective], so you need multiple layers" of security, ranging from anti-spam tools to workforce training for recognizing phishing and other social engineering attacks, he emphasizes.
Ramping Up Risk Analysis
In light of the risks posed by increasingly sophisticated cyberthreats, smaller organizations must expand their usual HIPAA security risk assessment practices to reflect the changing cyber-risk landscape, he says.
"Do a cyber risk assessment. Take a look and get an idea of the type of attacks likely to happen to your organization - what it would cost you if you were breached and protected health information was compromised ... and shut down for a couple days," he suggests.
In the interview (see audio link below photo), Andre also discusses:
- Why electronic health records are attractive hacker targets;
- Common information security and privacy mistakes smaller healthcare providers make;
- Cyber insurance issues that healthcare providers should consider.
The Cooperative of American Physicians offers medical professional liability protection and risk management services to nearly 12,000 physicians in California. Its CAPAssurance unit offers liability insurance coverage to member hospitals, healthcare facilities and large medical groups.
Andre oversees the physician-owned organization's technology services and the development of applications for its claims, underwriting, risk management, finance and legal endeavors. Before joining the cooperative 20 years ago, Andre was information systems director for J.G. Boswell Company, a food production business.