Physician cybersecurity: 9 tips to protect patient health records from cyberattacks

On February 21, 2024, a ransomware attack on Change Healthcare, a key player in the United States healthcare system — has impacted healthcare organizations across the US. This incident, labeled the "most serious" of its kind by the American Hospital Association, threatens a vast network managing 1 in 3 patient records and 15 billion healthcare transactions annually.

The impact ripples across the industry — affecting an estimated 800,000 physicians, 117,000 dentists, 60,000 pharmacies, 5,500 hospitals, and nearly all government and commercial players. 

By staying informed about this developing situation, healthcare businesses can take steps to minimize disruptions in patient care, financial losses, and other negative consequences.

A ransomware attack by ALPHV/BlackCat compromised Change Healthcare, a subsidiary handling patient records, revenue cycle, and prescriptions for Optum, on February 21st, 2024. United Healthcare Group (UHG), Optum's parent, disconnected Change Healthcare to contain the attack. The impact of this shutdown is believed to be affecting over $100 million in provider reimbursement daily, with possible provider impacts including: 

As of March 11, 2024, Change Healthcare continues to experience an interruption in service to some eligibility checks, claim submissions, clearinghouse reports, and electronic remittance (ERA) processing for certain payers.

To stay updated on latest developments, check out our guide "Daily updates: What to know about the Change Healthcare cyberattack."

The recent attack on Change Healthcare highlights the ever-present threat of cyberattacks in the healthcare industry. While ransomware attacks like this one can be devastating, they are just one tactic used by cybercriminals.

Here's a look at some of the most typical cyberattacks targeting healthcare providers.

Jesse Salmon, Manager of Information Security at Tebra, reports that, "Patient data is so valuable to cybercriminals because they use it to extort healthcare providers. In this way, HIPAA regulations make it an ideal pressure point, because by threatening to release patient records, providers are forced to pay massive ransoms to avoid costly HIPAA violations, litigation, and reputational damage." 

A patient data breach can lead to privacy violations, identity theft, and psychological trauma for patients. It can also cripple operations and lead to regulatory fines and lawsuits. Patient data lacks monetary value, but its regulatory liabilities make it leverage for extracting ransoms from providers.

Understanding common cyberattack methods and why patient data is so valuable helps practices to take proactive steps to safeguard both their patient information and healthcare systems. 

Salmon notes that, “One of the biggest cybersecurity threats facing physicians today is double extortion ransomware attacks. Modern ransomware groups don't just encrypt data — they also exfiltrate sensitive records to extort even higher payments by threatening to leak the data publicly, violating regulations like HIPAA."

The recent $22 million ransom Change Healthcare reportedly paid to ALPHV/BlackCat exemplifies this nightmare scenario. Despite the massive payment, a BlackCat affiliate claims BlackCat kept the full ransom while still retaining possession of over 4TB of stolen data from Change Healthcare partners like CVS-Caremark, Health Net, and MetLife.

If that is accurate and sensitive data is leaked due to a disgruntled affiliate, this leaves Change Healthcare vulnerable to regulatory penalties, lawsuits, and further disastrous consequences — even after paying a huge ransom.

The Change Healthcare cyberattack offers 3 critical takeaways for healthcare providers and physicians: 

1. Recovery from ransomware attacks may take longer than expected. It’s essential to have robust business continuity and disaster recovery plans in place. 

2. Paying the ransom is not a guaranteed solution to the problem, so preventive measures are crucial. 

3. Human error is the primary cause of ransomware attacks, so continuous security awareness training for all staff is vital.

Healthcare organizations use various methods to protect patient data, such as the following:

Find information about each of these and more in the security measures guidance below.

Here are 9 essential tips to help physicians and healthcare providers protect patient health records from cyberattacks.

Enforce complex password policies for all users and require MFA for sensitive applications. MFA requires a second factor, like a phone code, beyond a password for users to access accounts.

Outdated software can contain unpatched vulnerabilities that hackers can exploit. Make it a priority to update software and operating systems on all devices used to access patient data promptly. Regularly update all network devices — including routers, switches, and firewalls — with the latest security patches and prioritize areas for improvement.

Sensitive patient data should be encrypted both when stored on devices (data at rest) and when transmitted over networks (data in transit). Encryption scrambles data and renders it unreadable to unauthorized individuals.

Train staff on cybersecurity best practices, including recognizing phishing attempts, proper data handling procedures, and reporting suspicious activity. Clearly communicate cybersecurity policies and procedures to all employees and encourage them to report any suspicious activity or potential security incidents immediately. Regular training helps staff stay vigilant against evolving cyber threats.

Consider engaging a vendor to provide security awareness training on a recurring basis. These services can provide comprehensive reviews of the latest learnings about different security threats and show your staff how to be present for them.

It’s crucial to have a solid grasp of cybersecurity standards such as HITRUST, SOC I and II, and PCI, among others. "Ensure your vendors that handle either Protected Health Information (PHI), financial transactions, etc. have received certifications for those standards," says Anthony Comfort, VP of Product Management.

Incorporate a thorough security review as a standard part of your vendor selection process. For instance, use industry best practices such as NIST (National Institute of Standards and Technology) to develop a comprehensive questionnaire. This questionnaire helps with insights into how vendors manage sensitive data like PHI, the protective measures they have implemented, and their ongoing monitoring strategies for identifying and mitigating threats. 

By integrating these practices into your vendor evaluation procedures, you can significantly enhance the security posture of your organization and mitigate potential risks associated with third-party partnerships.

Follow the principle of least privilege, granting users access to only the minimum amount of data they need to perform their jobs. This reduces the potential damage if a breach occurs.

For example, more practices are enlisting the use of telemedicine for their practices — which presents unique cybersecurity challenges. These off-the-shelf video apps might mean compromising on encryption and HIPAA compliance. Plus, connecting providers and patients over public networks adds more vulnerable points. Telemedicine requires access to patient data from less controlled environments. 

To tackle these challenges, practices should limit telemedicine use to approved devices — along with performing risk assessments and providing regular security awareness training to staff.

Proper security protects a company’s internet network, infrastructure, and data to prevent cyberattacks and data breaches.

Implement a firewall and intrusion detection system (IDS) to monitor network traffic and identify potential attacks. Also enforce strong wireless network security measures, including WPA2 encryption and unique passwords for each access point. Avoid public Wi-Fi for accessing patient data. 

Regularly create backups of patient data and store them securely offsite in case of a cyberattack or system failure. Backups allow for data recovery in the event of a breach.

Have a plan in place for responding to a data breach. This plan should include steps for containing the breach, notifying patients and authorities, and mitigating damage. Regularly test your response plan to ensure its effectiveness.

Nurses are uniquely positioned to help protect against — and report — cybercrimes because they are one of the largest employed populations in the healthcare industry. They are also on the front line of patient care and healthcare technology use. Nurses play a critical role in preventing cyberattacks by following these steps:

For ongoing vigilance about new cyber threats and evolving security best practices, subscribe to authoritative threat intelligence feeds and advisories from trusted sources such as:

For continuous monitoring of network traffic and security events, consider using EDR (Endpoint Detection and Response) tools in addition to traditional Anti-virus (AV).

EDR tools: 

Leading EDR platforms also integrate with up-to-the-minute threat intelligence feeds on emerging attack vectors, malware strains, adversary group tactics, and more to continuously enhance detections.

It is imperative that all medical practice staff embrace their unique positions on the front lines of defense — by implementing robust security protocols, engaging in continuous education on cyber threats, and adhering to best practices for data protection. By fostering a culture of cybersecurity awareness and preparedness, the healthcare industry can better safeguard against future cyberattacks, ensuring the integrity of patient care and the protection of sensitive health information.

Tebra, the leading practice automation solution, houses all services on a highly secure and controlled platform. Learn how Tebra provides many of the above safeguards, such as encryption and backups, through a free demo.