Protecting Your Practice from Cybersecurity Breaches

Has it really come to the point that orthopaedic practices' IT teams will need to hire "ethical hackers" to find the soft spots? Seemingly so.

Protecting Your Practice from Cybersecurity Breaches

Keep this in mind next time you want to hack a Fortune 500 company’s website: A word-cloud shown recently in a CORRelations “Chart of the Week” suggested that “123456” was the most common of the top-50 passwords used by business executives.

  • Don’t say we never taught you anything (and we expect a share of your ill-gotten booty as a finder’s fee).

Each year since 2016, the number of healthcare data breaches has increased, and 2023 was especially terrible: 26 data breaches involving over 1 million records, and four involving over 8 million records each. Nearly 140 million patient records were breached, or nearly 400,000 per day. The average cost per breach to the affected organization is over USD 4 million.

These aren’t usually accidents. Hacking and ransomware software are both the most common and the most damaging causes, and although the largest targets have been insurance companies, practice groups’ systems are most definitely on the menu. These hits can put you out of business. They've resulted in physicians not being able to collect on services rendered, as Julie Barnes covered for us in CORRelations not long ago. Some of these breaches have specifically targeted orthopaedic surgery practices (one of those affected nearly 200,000 patients' records).

Your IT folks should be ahead of you on this, but are they?

Here are two tools you might pass along to them:

  1. The US Department of Health and Human Services Cybersecurity Performance Goals. It’s a free download here (or ask your IT team to download it). The level of detail is more than you probably want to digest in the span of a CORRelations newsletter, but it’s specific, practical, and includes steps that many practices don’t yet implement.
  2. For a deeper dive, a company that specializes in threat mitigation for healthcare clients (which neither I nor CORRelations has any relationship with) offers a white paper that I found absolutely fascinating. It’s also a free download, but comes in exchange for your email address, so make your IT folks do it. The scope of the problem and the cleverness of the bad actors were jaw-dropping, and the suggestions they make go beyond those of the HHS CPG that I noted above, and well deserves a look.

It’s hard to believe that surgical practices are going to need to conduct mock phishing tests, hire “ethical hackers,” and conduct internal penetration tests, but it’s true, and it beats the alternative — being the next orthopaedic group that gets hacked. As one section of the abovementioned white paper states, “the security of the ecosystem is dependent on the strength of its weakest link.”