50%

Fifty-eight percent of malware attack victims are small businesses

60%

Sixty percent of small businesses go out of business within six months of an attack

90%

Ninety percent of small businesses do not use any data protection at all



$2.2M

$2.2 million was the average cost resulting from cyber-attacks for small and medium-sized businesses


Attributes of a Small Organization

The process of implementing cybersecurity practices will vary by organization size, complexity, and type. For example, the development and implementation of an incident response plan will differ significantly between a large integrated delivery network and a small two-physician practice.

Each organization has specific cybersecurity-related attributes, strengths, and vulnerabilities. For cybersecurity practices to be optimally effective, organizations must tailor them to their unique needs and business mission.

Small health care organizations tend to have limited resources for managing their cybersecurity practices, but are no less subject to cyber attacks. Indeed, the Top 5 Cybersecurity Threats, documented below, can be very disruptive to small organizations. Suppose a small provider practice loses a laptop with unencrypted personal health information (PHI), resulting in a publicized breach?. Such a breach could wreak devastating consequences for both the provider’s patients and the practice’s reputation.

Conducting day-to-day business usually involves the electronic sharing of clinical and financial information with patients, providers, vendors, and other players to manage the practice and maintain business operations. For example, small organizations transmit financial information to submit invoices and insurance claims paid by Medicare, Medicaid, Health Maintenance Organizations (HMOs), and credit card companies.


In general, small organizations perform the following functions:

Clinical care includes sharing information for clinical care, transitioning care (both social and clinical), electronic or “e-prescribing,” communicating with patients through direct secure messaging, and operating diagnostic equipment connected to a computer network, such as ultrasound and pictures archiving and communication systems (PACS).

Provider practice management covers patient access and registration, patient accounting, patient scheduling systems, claims management, and bill processing.

Business operations spanning accounts payable, supply chain, human resources, IT, staff education, protecting patient information, and business continuity or disaster recovery.

Small Organizations may be subject to several directives:

Small health care organizations must comply with multiple legal and regulatory guidelines and requirements. They often ensure compliance by creating an internal infrastructure of personnel and procedures to govern the transmission of sensitive data internally and with authorized external resources.


  • Electronic health records (EHR) interoperability guidelines
  • Medicare Access and the Children’s Health Insurance Program (CHIP) Reauthorization Act of 2015 (MACRA)/Meaningful Use
  • Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology Economic and Clinical Health Act (HITECH)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Substance Abuse and Mental Health Services Administration
  • Many small practices and health care organizations use third-party IT support and cloud service providers to maintain operations that leverage current technologies. Small organization needs to understand if a third-party IT organization’s cybersecurity posture poses risk.



Top 5 Cybersecurity Threats

In 2017, under the leadership of HHS, the Healthcare Industry Cybersecurity Task Force (HCIC) conducted a Healthcare Industry Cybersecurity Risk Assessment; the results were published in the Health Care Industry Cybersecurity ReportThe Health and Public Health Coordinating Council Task Group responded to the findings and the Cybersecurity Act’s mandate to “Align Health
Care Industry Security Approaches.”

The Task Group determined that it was not effective to identify every cybersecurity challenge across the large and complex U.S. health care industry. The Task Group therefore made the decision to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle for a broad range of organizations within the industry. Below are the Top 5 Threats to small healthcare organizations:



HHS Top Five Threats for small healthcare organizations
  • 1. E-mail phishing attacks
  • 2. Ransomware attacks
  • 3. Loss or theft of equipment or data
  • 4. Insider, accidental or intentional data loss
  • 5. Attacks against connected medical devices that may affect patient safety


Mitigation Practices

To assist small healthcare organizations address the risk posed by the Top 5 Threats, the Department of Health and Human Services (HSS) recently published a common set of best practices, methodologies, procedures, and processes. These mitigation guidelines, though voluntary, are consensus based and industry led.



Mitigation Practice #1: E-mail Protection Systems

Small practices typically leverage outsourced third-party e-mail providers, rather than establishing a dedicated internal e-mail infrastructure. The e-mail protection practices in this section are presented in three parts:

  • E-mail system configuration: the components and capabilities that should be included within your e-mail system
  • Education: : increase staff understanding of email-based cyber attacks such as phishing and ransomware, and awareness of their role in protecting the organization
  • Phishing simulations: : provide staff with training on and awareness of phishing e-mails


Mitigation Practice #2: Endpoint Protection Systems

Endpoints include desktops, laptops, mobile devices, and other connected hardware devices (e.g., printers, medical equipment). Because technology is highly mobile, computers are often connected to and disconnected from an organization’s network. Although attacks against endpoints tend to be delivered via e-mail, as described above, they can also be delivered as client-side attacks.



Mitigation Practice #3: Access Management

Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as a name badge may be required to identify persons in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.



Mitigation Practice #4: Data Protection and Loss Prevention

A security breach is the loss or exposure of sensitive data, including PHI as well as information relevant to the organization’s business. Impacts to the organization can be profound if data are corrupted, lost, or stolen. Security breaches may prevent users from completing work in an accurate or timely manner; potentially devastating consequences to patient treatment and well-being could occur. Thus, good data protection and loss prevention practices protect the organization as well as the patients.



Mitigation Practice #5: Asset Management

Organizations manage IT assets using processes referred to collectively as IT asset management (ITAM). ITAM is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization.

ITAM processes should be implemented for all endpoints, servers, and networking equipment. ITAM processes enable organizations to understand their devices, and the best options to secure them. Although difficult to implement and sustain, ITAM processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device.



Mitigation Practice #6: Network Management

Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyber attack.

Proper cybersecurity hygiene ensures that networks are secure and that all networked devices access networks safely and securely. If network management is provided by a third-party IT support vendor, the organization must understand key aspects of proper network management for inclusion in contracts for these services.



Mitigation Practice #7: Vulnerability Management

Vulnerability management is the process used by organizations to detect technology flaws that hackers could exploit. This process uses a scanning capability, often provided by an EHR or IT support vendor, to proactively scan devices and systems in your organization.



Mitigation Practice #8: Incident Response

Incident response is the ability to discover cyber attacks on the network and prevent them from causing data breach or loss. Incident response is often referred to as the standard “blocking and tackling” of information security.

Many types of security incidents occur on a regular basis across organizations of all sizes. Two common security incidents that affect organizations of all sizes are:

  • Installation and detection of malware
  • Phishing attacks that include malicious payloads (via attachments and links)


Mitigation Practice #9: Medical Device Security

As technology advances and health care environments migrate to digitized systems, so do medical devices. For many reasons, it is highly desirable to interface medical devices directly with clinical systems. Automating data collection from medical devices reduces the labor burden and exposure to human error that results from manual input of data. Furthermore, automated control of device instrumentation delivers the most accurate treatment possible to the patient. For example, bedside vital signs monitors are networked to centralized nursing station displays and alarms, and infusion pumps are networked to servers to distribute drug libraries as well as download usage data.

As with all technologies, medical device benefits are accompanied by cybersecurity challenges. One emerging threat is the practice of hacking medical devices to cause harm by operating them in an unintended manner. For example, the 2015 document “How to Hack an Infusion Pump” describes how an infusion pump can be controlled remotely to modify the dosage of drugs, threatening patient safety and well-being.

Cybersecurity vulnerabilities are introduced when medical devices are connected to a network or computer to process required updates. Many medical devices are managed remotely by third-party vendors, which increases the attack footprint.



Mitigation Practice #10: Cybersecurity Policies

Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks. With consistent training and enforcement, expectations are clear and foster a consistent adoption of behaviors by your workforce. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts.