Cybersecurity Report a Call to Action for Doctors


After more than a year at work, the Health Care Industry Cybersecurity Task Force in June issued its report on what providers must do to better safeguard patient data.

The task force, established by Congress in its Cybersecurity Act of 2015, is comprised of 21 leaders in health IT and related areas and was charged with addressing the cybersecurity challenges in healthcare today.  Among its many highlights, the report cited a survey of 20,000 healthcare providers by research firm KLAS that said “many respondents widely reported that their electronic health records (EHRs) placed little attention on cybersecurity. Providers also report that many device manufacturers treat security as either an afterthought or that the attention is woefully inadequate.”

The 96-page report provides a snapshot of the current state of cybersecurity and runs through numerous imperatives, recommendations and action items.

6 critical actions for practices

He listed several simple, but critical, action items for practices to take, which the report addresses at various points:

1. Ensure that operating systems and antivirus software are updated with available upgrades and patches.

2. Establish policies against opening emails and attachments from unknown sources and continuously educate staff about those policies.

3. Hire a cybersecurity firm to conduct penetration tests, a common practice in other industries, where security professionals test their clients’ computer systems and staff to find vulnerabilities that attackers could exploit.

4. Consider implementing technologies that allow staff to open suspicious emails and attachments in a contained environment segregated from other systems.

5. Prohibit unauthorized access to patient data; enforce passcodes, automatic logoffs, access controls and mobile device policies to ensure only authorized personnel can access records.

6. Review your data recovery and business continuity plans to ensure your practice can access backup files and, thus, continue operations in the event of a cyberattack, a fire in your server room, an Internet outage, etc.

(Source: Mary K. Pratt |  Medical Economics {7/26/2017])