The U.S. Department of Health and Human Services (HHS) reiterated a salient point in a recent podcast: cybersecurity threats affect patient safety. Medical records are common targets of cyber criminals, and the increased reliance on medical devices to diagnose and test patients create real opportunity for harm to patients. However, cybersecurity initiatives aimed at mitigating these risks are often ignored or criticized by healthcare professionals.
For instance, advice such as use strong passwords, enable device encryption, and update software and firmware are becoming idiomatic to every cyber article, yet many don’t follow this advice. Other initiatives come off as too technical for non-IT professionals and sometimes inspire angst from the lack of practical solutions for healthcare providers. The barrage of cyber information can also cause some to become apathetic to these threats and warnings.
Understanding that physicians and their medical practices have limited resources to devote to cyber concerns, HHS announced a practical solution. On July 22, 2020, HHS released a public-facing website for its Health Sector Cybersecurity Coordination Center (HC3), targeting the healthcare and public health (HPH) sector. The HC3 promises to help the HPH sector better monitor and respond to important healthcare cyber threats by creating digestible, timely healthcare “products” to help the HPH sector. The HC3 website has three core products:
- Threat Briefings: Briefing presentations that highlight relevant cybersecurity topics and raise the HPH sector’s situational awareness of current cyber threats, best practices and mitigation tactics. The briefings include a legend that separates technical information (that your IT professionals can use) from the non-technical information (that physicians and practice managers can understand).
- Sector Alerts: Documents designed to assist the sector with defense of large scale and high level vulnerabilities.
- Sector Notes: Documents that provide high level situational background on active threats and protection strategies from the perspective of the HC3 analysts.
The HC3 will work with healthcare and cybersecurity experts to provide updated, relevant information to the HPH sector.
Risk Mitigation Strategies
1. Make cybersecurity a priority in your medical practice. Encourage staff members to ask questions about cybersecurity, and start with this checklist by the American Medical Association (AMA), which also publishes healthcare focused cyber content that may be helpful to your practice:
- How to improve your cybersecurity practices
- Protect your practice and patients from cybersecurity threats
- Patient safety: the importance of cybersecurity in healthcare
- What physicians need to know: working from home during COVID-19 pandemic
2. Become familiar with and review the HC3 webpage and the core products offered. HC3 is dedicated to cultivating cybersecurity resilience regardless of an organization's technical capacity, and recognizes the special focus that small to medium sized organizations require due to their lack of dedicated cybersecurity capabilities. A list of other FAQs can be found here.
3. Access TMHCC CyberNET® webinars and resources. In partnership with LAMMICO’s cyber risk experts, Tokio Marine HCC – Cyber & Professional Lines Group (TMHCC), LAMMICO offers our insureds complimentary access to CyberNET®, the most advanced cyber risk management solutions inclusive of sample policies, incident response plans and other compliance and training materials. Insureds are encouraged to log in as a Member at lammico.com to access CyberNET® through LAMMICO Practice Solutions.
4. Ensure you have appropriate cyber coverage. LAMMICO includes $10,000 of MEDEFENSE®Plus/Cyber Liability coverage in most provider policies at no additional charge to the insured. We offer the option to purchase higher limits of protection through our subsidiary agency, Elatas Risk Partners. Please contact Carly Thames, Elatas Account Executive, at firstname.lastname@example.org or 225.906.2062 for information about higher limits of Cyber Liability insurance.
5. For more information about minimizing cybersecurity threats, please contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211.