Join Edward and Daniel as they talk about security basics for healthcare clinics, avoiding ransomware and hackers, and the value of having a trusted IT partner to help navigate the world of security and training to keep your clinic’s data safe!
Daniel Buchanan: Hello and welcome to the May, 2023 webinar series for the Stringfellow Technology Group. This month we are going to be talking about cybersecurity and patient data privacy. This is a really important topic. It’s a very hot topic. Cybersecurity can be a little scary from time to time, but it’s something that every practice provider needs to be thinking about.
Every practice manager needs to be thinking about. Every end user needs to be thinking about something that’s got to be top of mind. So I’m joined today again with Edward String Fellow.
So, Edward, why is healthcare, you know, so focused on as far as cybersecurity, like what makes cybersecurity such a big topic for healthcare groups as opposed to just any business?
Healthcare is a Prime Target
Edward Stringfellow: Healthcare is a prime target right now. The reality is patient data is actually very valuable to cyber criminals because it has social security numbers, it has financial and banking information at times.
It obviously has medical information, but the value of a medical record continues to increase. And the ease of which they can target and obtain them has really not gotten much better, at least from a provider perspective. So we’ve still got a bunch of low hanging fruit from the cyber criminals perspective. So they’re just gonna keep going at this. Healthcare is very interesting: it’s part business, it’s obviously part taking care of people and so the dynamic there is what we’re really trying to do is provide excellent patient care, but it’s all backed by this technology infrastructure and a lot of that is based on legacy technology.
The playbook that a lot of groups are using for running their technology: they’re not on the new playbook. They’re not on the cloud-based playbook. We won’t get into this today, but like a lot of EHRs, These are really big, massive systems integrated to a bunch of other big massive systems so no, it’s not like we can just snap our fingers and change this overnight.
Many have tried and failed by the way, so I’m not sitting here going, oh, just go to the cloud and it’ll all be okay. Cuz, I don’t think that’s necessarily the answer. But what we do wanna talk about is, is what are some things that we can do that are very basic today to keep our practice more safe.
But, but again, you’re, if you’re in healthcare you are a target and studies just as recently as last week, the cyber gangs are literally attacking hospital systems. In fact, some of the groups will come back to the cyber people and say, okay, yeah, we got your message. We’re sorry. And they’ll turn like they have a code and they’ll like turn it back on.
So there are a ton of opportunities for the cyber criminals to attack you. If you do just some basic stuff, you will not be a target.
It doesn’t have to be a massive investment and a huge lift, but there are some basics that you need to follow to keep yourself from being a target.
Daniel Buchanan: We look at this all the time because it’s something we’re very focused on, but I realize that a lot of healthcare providers and practice administrators may not be as focused on this, but the last number I saw was that there have already been over 200 healthcare companies, hospitals, clinics that have been breached in 2023.
So we’re at May and there’s already been over 200.
And so, you know it’s terrifying to think that, well, I mean, I’m a person too, right? So I go to a doctor’s office and they have my medical records. It’s terrifying to think that my medical records would be out there or that my provider would be down and I couldn’t call them and talk to them and get help.
Get my medicine. I need whatever it is if I’m sick, go visit. It’s a big deal.
Edward Stringfellow: $2.2 million is the, the average cost of a breach. You can see here the data breach costs per record, healthcare is far exceeding $408 versus if you break into a school, it’s $166.
So there’s a lot of valuable information for these cyber criminals to go after. Four in five provider practices have had an incident. I don’t think people understand the rate of breaches that providers have.
From where I sit earlier this week, 10 miles from where I sit. A provider was down for two or three days dealing with the breach. They literally were shut down and had thousands of patient visits canceled. Like not one, not two thousands.
This is happening every day to providers. Again, I think it’s happening to providers that are not doing some of the basics.
It goes back to: if I go and check the front door and it’s open, I’m coming in, but if it’s locked and then I check the next lock and it’s locked and I go pull the windows and they’re all locked, well, I’m just gonna go to the next house. You know, these groups are not targeting and trying to get in that way.
If you can keep yourself from being a target, it’s better and it’ll obviously save you a whole bunch of money. Let’s talk about the simple stuff you can do. This blows my mind and so Daniel, you might have to, get me off my soapbox here.
The Cost of a Breach
But it’s almost irresponsible, but it is very disheartening when we hear that ransomware got in and they weren’t able to recover. They’re spending literally days, weeks, we’ve heard of one for a month. I think the British healthcare system was shut down for a month, two or three, a couple years ago.
But the point is recovery is not being addressed. In our world of let’s check boxes, I look at my internal IT group, I say,
“Hey, do we have backups?”
And they go look at the last report and says, oh yeah, the backups are all green. It’s great. And we move on. We get into the recovery and that’s like their first time ever trying to figure out how to put the data back.
These systems are complex and there’s lots of them, and you’re trying to get e-prescribing back up.
A lot of groups, they, they just back the data up, but they don’t have a plan to get it back working. We had a provider practice pipe burst in their building.
I mean, the whole building, it was flooded, it was done. They had to move over the weekend and move all of their systems and do all of this stuff. And if it weren’t for a thought out plan of how do we recover and how do we deal with that, that could have taken them at least a week, you know, to get everything back where it needed to be.
But with a good disaster recovery plan. We were able to get ’em back up and going before the weekend was out actually.
The point here really is: backup is super basic but it’s really recovery that we need to be talking about.
Do, do you agree with that, Daniel? Where it’s backup, you know, especially internal. Oh, we got it. That we got it. But then it’s always, the story is, we had the backups, but, and then fill in the blank of how much time it’s gonna take to recover.
Daniel Buchanan: Hundred percent. A hundred percent. And so, yeah, backing up is just like the other items in IT: that’s like the first step.
Unless you’ve tested your recovery and you’ve spun it up and you’ve said, Hey, this VM runs, we can do what we need to do, or This data does load and we can access it. You don’t know that you have a backup. You think that you have a backup.
Edward Stringfellow: Or a backup that won’t run, I mean, if you’re running EHR, EMR, practice management systems on servers in your facilities or wherever; oh, I’ve got a backup of everything. Great, but can you run it in a recovery situation, can it run somewhere?
Oh no. You know, we don’t have enough space to spin everything up and it’s like, well, we can spin everything up, but the NextTech database won’t spin up.
It’s like, well, then you don’t have anything.
Recovery is something that I think everybody gets to backup, they get some green check boxes and then they stop. I think recovery is basic, but it needs to be a focus as far as being able to keep your practice up and going after you’ve had an event.
Granted, I would like to not have the event, but, but let’s just be honest, most groups are not there, so at least be able to get back to work quickly.
Daniel Buchanan: I think that’s smart. I think a scheduled recovery is smart. You know, I used to tell clients: if you think of it once a month, just find a file and see if you can recover it. So here’s this really super important file we’re working on. Here’s our QuickBooks database. Can we recover it?
I want it on a USB drive or something, I want another place to where I can go and I can load it onto a computer and it’ll work there.
And so if you don’t do that, you don’t have a plan. You just have a process that’s kinda happening that you’re not in control of, you’re not managing it.
A Tool is Not the Answer
Edward Stringfellow: And I think, I think that comes into this, this concept of a tool is not the answer.
If technology’s the problem, the idea that it would also be the answer doesn’t make sense to me anyway.
What that tells me is we’re just at a constant escalation of going back and forth, which is what we’re doing
it’s a battle of technology.
I think there’s three pieces of running technology systems properly. And the three pieces are
- the processes and
- the tools.
So the tool by itself won’t really, I mean it, yeah, sure, we can put an EDR, we can put fancy antivirus and that’s just a tool.
But if we don’t train the people with how they should respond to the virus alert or the phishing email, and then they don’t have a process that they’re following, you’re never gonna win.
You’re not even gonna keep up. We had an incident and we put in Datto for backup. by the way, Datto is an excellent product. We use it, its great, I like Datto a lot.
Even with a great tool that I do think is very good, what’s our process for recovery and who are the people involved?
I think that’s where IT really gets in a jam, especially internal IT.
Most internal IT is desk side and clinical meaning: rather than have good IT processes and a scalable model, we just have no process, just a person that runs around with tools and that leads to some inefficiencies.
When we talk about security, it’s never a tool. It’s gotta be a combination of people, security awareness training of your people, a process by which you handle incidents or allow people to report things and then there’s tools that support the people in the processes.
Daniel Buchanan: There’s this idea a practice, you talk about a medical practice and security might fall into that as well. It’s continuously improving. There’s an improvement system, like an internal check.
Edward Stringfellow: IT is not a checkbox, it’s a practice, just like medicine. And so we go through continuous training, we go to events, we look at things, we get feedback.
Hey, guess what? New techniques come out. So we do, we, new techniques come out. We incorporate those. And so , there’s a practice to running technology.
It’s not a set of tools that we set up one time.
Common Misconceptions Around PHI
Misconceptions lead to workarounds that make it worse. The classic example is with referrals or getting medical records between providers or referral providers. I’m in my EHR and I have to fax it to you, and so I have to print it out. I take the printout and I fax it and it gets faxed to the other end, and then they get a printout or a pdf and then that’s gotta get saved somewhere else.
So now I’ve taken one copy of PHI and duplicated it in three or four different places. the criminals are not actually physically walking by and taking faxes. But we all know they quickly get turned back into some digital form, which is typically in like the fax inbox where everybody has access to it.
it all flows into this one place that tons of people have access to. The next thing you know, the bad actor was literally sitting there making a copy of everything that came through the fax box. So they got hundreds of medical records a day before people figured this out.
So anyway, going back to the common misconceptions, yes, you can securely communicate PHI electronically. It has to be set up right. Again, this goes back to people, process and tools. If you’re on Microsoft 365, there’s nothing to it. We can email securely any kind of PHI to others.
We can also use secure file sharing platforms to make sure we’re not putting it in an unsecure place. A lot of people have portal fatigue, which I get. There’s a hundred different portals to upload your labs and this and that.
I think the portal doesn’t mean it’s secure either. I think that might be a, a misconception. If the portal is insecure, that can be a problem as well. The biggest point here is don’t think that you can’t use basic tools the correct way versus having to work around all this stuff and introduce more links in the chain.
Daniel Buchanan: I always approach this from a point of view of accountability. In HIPAA there is a rule for accountability. They’re talking about who has access to what and how do you know that only that person has access to that. . Which kind of ties back to people being represented by actual people. . So you have Your username that you log on as not front desk.
Most Common Issues
Edward Stringfellow: You’re bringing up literally just the most common issues we come across time and time again: password sharing and generic passwords.
I get it. People don’t like it. You can’t have provider one, provider two, provider three, nurse one, nurse two, nurse three, and everybody’s sharing them across all the exam rooms.
I hear you and I understand that we’re burned out, we’re understaffed, we gotta move room to room very quickly. I get all of that, but there is a way to do it and set it up securely where you can do that. You need an IT group that understands the workflow, and then can implement the technology to support that.
Versus what most groups are doing: they’re just working around it. I don’t have time to remember this password to log in and log out. Well, there’s a lot of different ways to log in now: you can fingerprint, your face, Prox card. There’s a ton of really simple, secure ways to do that. But, a lot of groups whether it’s internal IT or their provider, they let it keep going.
Another really common issue: security awareness training. This is the people side of people, process and tools. You’ve gotta educate. It’s people that are using this stuff and typically they’re the ones that are being hacked.
Yes, they get in the system, but a lot of times the initial hack is the person: whether they get socially engineered, they click on a Phish link, they send a document to the wrong party. It’s people.
I think security awareness training should be standard much like backups, in theory are standard in any, in any practice.
If you’ve got a provider and they’re not making that part of what they’re doing, I think they’re missing the people component.
Two more common issues we see just incorrect setup of email systems: we’ll still see groups that don’t have email security right.
Whether they can’t securely email or they’re unaware of how to do it. I’ve got X Y Z in front of this.
That just adds more complexity to the chain and no more security at this point. The Microsoft 365 stack has proven that at this point it’s pretty good and it’s fully integrated with all the users and everything else.
When we see that email flow and that fishing deterrent is not set up, that’s a big point of entry for sure.
And then we won’t beat this dead horse too much, but backups, you they’re not restorable.
Nobody did recovery. You read about it all the time. We’re down for three days and if you dig in and get some insider info, they’re down cause they can’t recover so I do think that’s a very common issue. There’s no recovery process in place.
Daniel Buchanan: One more little nugget of wisdom: when you have this hacker attack and you have a ransomware attack, the best choice is generally to do a recovery, not to negotiate with the hackers.
I mean, think about that: they want some Bitcoin and they just give you an address and you are supposed to give them Bitcoin.
What knowledge do you have that they’re gonna get out of the system or that they’re gonna just leave peacefully and that they won’t leave themselves a backdoor? You don’t want to negotiate with these people.
The security rule there is: you better have some good backups and be able to recover them. Because you’d rather be down for a couple of days restoring backups than negotiating with cyber terrorists in an ongoing way forever, because that’s not sustainable by any stretch of the imagination.
Edward Stringfellow: No, it’s not. And, and, and here, literally three, four months ago, a large PBM benefits manager. They were willing to pay. Well, heck, it took them the whole weekend to figure out how to get a hundred thousand dollars in Bitcoin. Normal folks don’t have a hundred thousand dollars in Bitcoin.
So, then they had this whole other problem of even figuring out how to pay. It’s a very convoluted thing if you don’t have good backups. Backups keep you from having to negotiate too.
I think that you’ve got to have a partnership.
I’m not saying a component of technology in a business or a healthcare practice. There might be a role for desk side support or even clinical support, IT coordinator on site for bigger practices. I get all of that, but the reality is we’ve shifted to where you really do need an outside third-party group that’s only focused on making sure technology is structured correctly.
You need a security roadmap and a strategy that’s been proven, that gets updated all the time and then it’s implemented without you having to live through it. Many IT Setups in a practice, you can see the scars everywhere where they had to learn, don’t do this and don’t do that, and don’t do this.
The Value of a Health IT Partner
You can skip all that if you get the right partner.
It is just not scalable to build it yourself anymore. You don’t want to live through all the experiences and the lessons learned and the improvements made by an IT partner.
You know, it’s a little bit like an insurance pool. So, if I figure out and solve an issue for one of our clients. Well then, I’m obviously going to implement it for the other 150.
That’s why people do outsourcing: you can get some benefit of not having to learn everything yourself.
I think that’s a big deal. The other thing and this isn’t internal IT’s fault, they are saying,
“Hey, we need to do security awareness trainings” and the providers say, “I don’t have time for that.” Well, that’s kind of an interesting dynamic.
I’ve got the providers, they have maybe a little more clout and they’re saying, Hey, I don’t have time to do this.
What’s the internal IT group going to do?
They’re not going to die on that hill and lose their job. And then there’s an incident because that exact provider clicked on the get me $500 worth of gift cards from the practice manager. And he’s like, I can’t believe she would ask for this.
So now we’re having a security incident and now it’s back on the internal IT person, what are they going to do? So now they’re just going to go fix it and it’ll probably just never be spoken of again.
But the hope is then after that, then you’ll do your security training or what have you. But that’s super, super reactive.
I do think there’s an advantage to having an outside group come in, because typically it’s via a, an agreement and a contract, and there’s just less maybe pushback or emotion in a group like us. this is just part of what you’re paying for and we’re going to score you. Whether you’re a physician or a back office or a nurse, or in marketing, everybody’s got to take the same security training and everybody’s got to hit a minimum score.
We’ve got to get everybody on the same page. As an outside group, we do have the ability to kind of mandate things that internal groups just don’t have. And that’s just the nature of that relationship.
Daniel Buchanan: In a lot of cases the doctors run the practice, so it’s like, how is an employee going to tell the boss that they have to do that?
Where with us it’s like a third party and like you said, it’s, you’re paying us to do this. This is part of what you’ve hired us to do, so let’s just let’s do the right thing.
Edward Stringfellow: Well, Daniel, this has been very interesting. Are there any key points we’ve missed?
Providers: you are a target, there are real dollars involved, an incident will happen to you or be attempted and whether or not you have ramifications or not typically are dependent on some pretty basic stuff that you need to be doing.
And sure, you could take this and go talk to your internal IT group and they try to figure some of this out. But, going forward, it’s about finding a partner that has a proven roadmap that can just implement and can check not only the boxes, but also have your people, your processes and your tools all integrated and done in one fell swoop.
Daniel Buchanan: One more thing, I was at a conference last week the Tennessee Medical Group Management Association and I was talking to people and cybersecurity is very top of mind there.
I talked to at least three groups that had been hacked recently, one of whom was in an actual ransomware attack at that very moment.
They were down and it was a big deal, and they couldn’t see patients. They saw a lot of patients. They had a huge internal team, and it was a big mess.
Another group I talked to was an actual EMR provider that provides the software. That hosts the EMR and of course they’ve got their own cloud. I don’t know the extent of how they were hacked, but boy, what a mess that is. This is everybody’s problem.
You hear about states like the state of Maryland, so this is a huge problem for people.
Edward Stringfellow: Bigger doesn’t mean better. I think the larger a practice is in a group and the older in IT terms a group is: they’re running off the old playbooks. How do you do remote access? Oh, well, step one we connect to the VPN.
Well, the second I hear that, I’m like: no, this is wrong. We don’t use VPNs anymore. We use other access methods that are SSO’d and more secured.
Hey, how do you log in? You go in the practice, and you see all the sticky notes on every monitor still. It’s some basic stuff.
It is complicated, but it doesn’t have to be complicated to implement, right? So, if you got the strategy and the roadmap and the playbook, and you’ve got a guide that can bring you along the path, it works pretty well.
Daniel Buchanan: Cool. Well, thank you for your time today. I hope this was entertaining and if you have any ideas or comments, please leave them in the comment section. We’ll see you all again next month.
If you liked this podcast and would like to learn more about Stringfellow Technology Group and what we do for small private practices across the United States, contact us for more information at firstname.lastname@example.org or via our sales phone number below. We would love to meet you.