The widespread impact of the recent Change Healthcare cyberattack, which affected billing for hospital systems, pharmacies and medical practices across the country, was a wake-up call for allergy practices. Here are important cybersecurity lessons that practices learned:
- Cybersecurity must be a key operating function.
- Perform a regular risk assessment. One free option is the government’s HIPAA Security Risk Assessment Tool.
- Anticipate threats using advanced tools and best practices to detect, prevent and respond to them. Consider hiring an outside consultant to review your digital security and advise you. “We are specialists in allergic disorders based on our education, training, and experience. For cybersecurity, we need the equivalent specialists,” said Alnoor Malick, MD, FACAAI, vice-chair of the Practice Management Committee.
- Practices must monitor and limit risks from third-party vendors.
- Develop business contingency plans to ensure continued operations in the event of cyber incidents. Test your contingency plans regularly.
- Evaluate whether a cybersecurity insurance policy would benefit your practice.
HHS has developed several resources to help practices mitigate cybersecurity risk:
- HHS Healthcare Cybersecurity Performance Goals
- This roadmap prioritizes layers of protection that can prevent a potential breach should any single line of defense be compromised.
- HHS 405(d) Health Industry Cybersecurity Practices
- Accessible and usable information for medical practices, including top five threats facing healthcare and 10 mitigating practices – plus helpful training, posters and info about each.
- HHS.gov Administration for Strategic Preparedness & Response
- Provides guidance and support to enhance cybersecurity for the health care and public health sectors. Includes resources and education to improve cybersecurity and cyber defense.
Make sure everyone in your practice is trained regularly in best practices to reduce risk. Phishing attacks remain the most common and persistent threat. Repeated training can prevent failures due to human error. There are several free cybersecurity training resources:
- HHS 405(d) Knowledge on Demand
- AMA CME video series “Cybersecurity for the Clinician”
- A series of six brief videos that uses easy, non-technical language to educate physicians about cyberattacks.
- HHS Educational Posters
One final helpful resource is a government website that provides ransomware resources and alerts.
- StopRansomware.gov can help you understand the threat of ransomware, mitigate risk and know what steps to take in the event of an attack.
Potential cyber threats to allergy practices are increasing. Take steps now to protect your practice, train your employees and prepare for unexpected events.
