National Cybersecurity Awareness Month (NCSAM), which takes place every October, sheds light on the importance of privacy and security best practices that every healthcare industry stakeholder should consider. While cyberattacks seem to be more prevalent among larger providers, recent evidence shows a marked shift toward smaller entities.

In fact, business associates (BA), which includes clearinghouses, accounts for 15% of all breaches in 2022. Of the 409 breaches reported to the Office for Civil Rights in the first eight months of this year, 74 involved business associates.

Regardless of whether a provider or surgery center is attacked directly or through a business associate, the practice is on the hook for bad publicity, potential fines, and a high price for remediation that can put the future of the practice or surgery center and its reputation at risk.

As we embark on a month dedicated to creating resources and communications to help every provider, staff member and the patients they serve stay safe online, here are six steps to help ensure your clearinghouse, other business associates, and your own facility follow security best practices.

1. Adopt a universal 2nd Factor (U2F) authentication key. Ask whether your clearinghouse or other BAs support use of a Universal 2nd Factor (U2F) authentication key, a USB key that works only on sites where the user has registered. Instead of sending a code by text, email or phone that can be intercepted, the key interacts with the browser to allow access while protecting against session hijacking, malware and man-in-the-middle attacks. The best security comes from something you know (a password) and something you have (a U2F key).

2. Determine how secure your partners are. Truly, the weakest link in the security chain is the likeliest to be exploited by bad actors. That’s why you should ask your BAs and partners whether they are SOC 2 certified, a voluntary compliance standard centered on how organizations manage customer data based on five criteria, including confidentiality, security, and privacy of data. For healthcare organizations, certifications from trusted independent organizations such as EHNAC or HITRUST show commitment to keeping data safe.

3. Maintain physical and device security. In addition to the above advice, log out of applications when you leave your computer, even for a moment. Pay attention to your surroundings and be wary of anyone unusual. Turn your computer screen away from areas where patients may pass.

4. Use your business device only for business. In August, a private security researcher published a report on potential security and privacy risks to people who access the in-app browsers of such mobile apps as Instagram and Facebook, which inject JavaScript code into third party websites. The researcher also noted an ability for the iOS (Apple) TikTok in-app browser to allow keylogging, recording every keystroke of the user. While no malicious intent has been found, these revelations show that keeping data safe online is a non-stop challenge.

5. Protect against phishing attacks with education. More than 80% of breaches involve humans in some way, including social attacks, errors, and misuse. Spear phishing, where bad actors craft communications for a particular person, is made relatively easy by using information freely available on social media and on company websites. Ongoing education can help employees become more cognizant of phishing attempts to reduce the threat surface such attacks represent. Beyond education, consider vendors that create and send bogus communications to staff, referring those who click on links for further education.

6. Remain vigilant to emerging threats. During the summer, the FBI issued a warning that people in healthcare were being targeted by scammers impersonating law enforcement or government officials to extort money or steal protected information – using information from social media and/or a facility website. The scammers spoof legitimate organization names and phone numbers and present fake credentials. The FBI reminds everyone that any legitimate investigation or legal action will occur in person or by official letter. No law enforcement agency will request payment by prepaid cards or cryptocurrency.

Cybersecurity awareness is a twelve-month mindset
Healthcare data remains the Holy Grail of bad actors, because it often contains enough information to create new identities that can then be exploited for additional gain. Vulnerability management software and/or human vigilance may be able to repel nearly all attacks, but hackers only need to be successful once to wreck your medical practice or surgery center.

Cybersecurity awareness at your own company and among your staff should be practiced each and every day, let alone each month. As part of that vigilance, you should also closely examine the BAs with which you do business, because their security weaknesses can leave you vulnerable!