5 Steps to Help Ensure Your System is Secure and Safe for LTPAC Practices

July 27th, 2017 by Sean Smith, CISSP

Cyber security attacks are on the rise. In May 2017, a ransomware attack hit 150 countries, affecting hospitals, major companies and businesses, and government offices. At least 200,000 computers were affected before the problem could be contained. In June 2017, another ransomware attack spread across the Ukraine, Denmark, and France. But this one also hit close to home—affecting the Heritage Valley Health System in Pittsburgh, PA, which runs several hospitals and other health care facilities in the region. These recent attacks, call out the alarming need for health care providers and practitioners to know about security issues and seek the guidance of specially certified security experts to protect data and prevent cyberattacks.

While these cyber-attacks may have made headlines, they are not isolated incidents. Such assaults are on the rise as hackers get bolder and more sophisticated. Ransomware attacks, which involve a type of insidious software that blocks the user’s access to data until a ransom is paid, are increasingly common, as hackers see them as a way to make a big profit from a small investment.

Long-term and post-acute care (LTPAC) practitioners are especially vulnerable, as many have outdated or inadequate systems that lack protective measures to prevent such attacks. At the same time, rampant staff turnover and lack of education/training leads to human error such as personnel falling for phishing scams or clinical and administrative leaders failing to regularly change passwords. Additionally, most medical groups do not have a staff member who is trained and carries a certification to create a proper cyber security program for their practice and count on their IT professionals for help. As a result, many organizations are unprepared to deal with a new class of savvy, high-tech criminals who see a profit in holding patients’ private, personal, and sensitive information hostage. Meanwhile, hackers see dollar signs when they look at health care organizations, as the value of a single medical record on the dark internet is $363.

Putting off efforts to secure your practice could have dire consequences—lost data and time, huge fines, and major bills to retrieve data and update their systems. “Our medical clients are not trained in cyber security. They live in a reactive state to the latest buzzwords in the press. And most clinicians are worried that they cannot definitively answer yes to the question, ‘Are we safe?, said Sean E. Smith, CISSP, Senior Security and Compliance Engineer of Geriatric Practice Management, LLC, (GPM). Fortunately, there are experts and companies that know all about cyber security and have years of experience developing systems and processes that keep data safe now and in the future. Partnering with an expert can give you both protection and peace of mind.

5 Steps to Help Ensure Your System is Secure and Safe

  1. Two-Factor Authentication Increases Security Tenfold…

Two-factor authentication adds a second level of authentication to an account log-in. This requires the user to have two out of three types of credential in order to access an account: a personal identification number, password, or pattern; a possession such as an ATM card or phone; and a/or a biometric such as a fingerprint or voice ID. While this adds a step to the log-in process, it also offers more protection. It doesn’t make your system impervious to all potential attacks; however, it makes it harder for hackers to access your data. To hack a system with two-factor authentication, perpetrators must acquire either the physical component of the log-in (such as your phone) or access the cookies or tokens the authentication mechanism places on the device.

  1. The Password Is….

Passwords often present a security risk, particularly when people use short, easy ones—such as their name or date of birth. Instead, suggested Smith, “Use a phrase—a favorite saying or quote. Make it easy to remember but hard to crack.” Make it at least 10 characters or longer, he recommended. He explained that hackers can crack an eight-character password in just over two years, while it takes four millennia to uncover a longer one. For a 10-plus word password, said Smith, the industry standard is to change it once a year; for a shorter password, change it every 90 days.

  1. Walk Like an Encryption…

The one step you must take with your devices is ensuring encryption, the conversion of electronic data in cyphertext that makes it unreadable by anyone except authorized parties. “Every device needs to be encrypted,” stressed Smith. “CMS put this in black and white. If devices are stolen and data is encrypted, there will be no penalties or problems.”

  1. Addressing e-Mail Maladies…

Another area ripe for scrutiny and change is your use of e-mail servers. “The biggest mistake all organizations make with e-mail is using free services such as gmail, hotmail, or yahoo. As the saying goes, you get what you pay for,” said Smith. He noted, “My mother has used a Yahoo e-mail account for over a decade.  In that time, she has had her password stolen three times, including having her bank account hacked twice from that stolen identity.  Yahoo has had multiple instances where their password database of over half a billion free accounts were compromised. In reality, none of the free services are secure.  A medical organization should never use an e-mail service that will not sign a Business Associate Agreement and have the proper audit documentation to back that agreement up.”

  1. Seeking Professional Partnerships for Security Success

While you don’t need to be a security expert or even have one on staff, it is important to have a vendor who can provide cyber security expertise and support. “The first thing to look for is experience in the security field. Next, look for profession certifications in cyber security and make sure these certifications are current,” offered Smith. For instance, he recently obtained Certified Information Systems Security Professional (CISSP) certification, which is considered the gold standard for his field. Pursuing this designation requires years of validated work experience and multiple hours of continuing education annually to maintain the certification.

The CISSP draws from a comprehensive, current global body of knowledge designed to ensure that security leaders have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices. The exam tests competence in eight rigorous domains: security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security.

Very few professionals obtain and maintain this designation. As Smith said, “Having ‘CISSP’ after my name proves to the rest of the world that I have earned a very hard industry recognized standard in the cyber security world. When people see that credential, they don’t have to ask if I know what I am talking about.” He added, “Having someone who maintains the CISSP title on staff means that the organization has made a significant investment in staffing and to their own cyber security program. It also means that the company has decided to devote resources—both time and money—to ensuring their own cyber security program is in place and consistently evolving as new threats and opportunities emerge.”

Finally, said Smith, it’s not just enough to be a general cyber security expert. It is essential to find out with a history in healthcare. “A lot of security companies are good at other industries but do not understand healthcare. You wouldn’t hire an accounting firm that has expertise in manufacturing to assist with your healthcare organization’s financial program,” he said. Similarly, he indicated, you need a security expert who understands the specific challenges and issues faced by organizations in your field and have experience in securing and protecting patient records and other confidential health data.

It is no longer enough to put a security program in place and hope for the best. The sophistication of attackers in the healthcare space has grown exponentially; and after every cyberattack, hackers learn more about how to make the next one more successful.  The right security expert can help you stay a step ahead.

Sean Smith, CISSP

About Sean Smith, CISSP

Sean E. Smith, a Senior Security and Compliance Engineer with GPM, has over 32 years of experience in information security, cybersecurity, HIPAA Privacy and Security, operational security, enterprise infrastructure and operations. At GPM, he has been responsible for infrastructure planning, installation, deployment, operations, change management and security. Also, he is responsible for the creation and operation of HIPAA Compliance, Risk Assessment, SOC Level 1 Type 2 programs which passed external auditing with No Exceptions. Prior to joining GPM, he also worked in and or founded several IT Consulting firms with a focus on small medical groups. Additionally, spent four plus years as a VP at Bank of America involved in Enterprise Architecture planning, application management and business IT integrations. Finally, he also has an intelligence background. He spent eight years in the US Navy as a Cryptologist deployed to Fast Attack submarines. Quite a ride.

We're ready to help you. Contact us today by phone at (828) 348-2888, or get in touch via our contact form.