You may think that cybercriminals would target the biggest companies in the world – where they could collect huge ransoms from rich corporations – but, increasingly, cybercriminals are going after smaller organizations, which often lack the sophisticated security systems that larger businesses typically implement.  

In 2021, 82% of ransomware attacks were launched against organizations with fewer than 1,000 employees, and 37% of companies that were hit by ransomware attacks had less than 100 employees. Additionally, small businesses receive the highest rate of targeted malicious emails: one in 323. 

Modern healthcare is dependent on technology. In audiology, we have sophisticated technologies to screen and diagnose patients, improve hearing aid fittings, optimize operations, and help us provide the Best Care Experience to every patient. While these technical advancements are valuable for our industry, we need to be mindful and protect our businesses from cybersecurity risks. 

There have been increased attacks on healthcare organizations in recent years, demonstrating the need for enhanced cybersecurity measures in the healthcare industry. According to the U.S Department of Health and Human Services, during almost every month of 2022, more than 1 million people were affected by data breaches at health-care organizations. And ransomware attacks targeting healthcare delivery organizations doubled from 2016 to 2021. 

Cyberattacks can be devastatingly expensive. For starters, HIPAA fines start at thousands of dollars and can go up to as much as $1.5 million per incident. In addition to the exorbitant costs, data breaches can also cause irreputable damage to a hearing practice’s professional reputation and future revenue due to a loss of patient trust as well as negative media coverage and poor online reviews. 

The largest healthcare cyberbreach to date was an attack on Anthem, Inc. In 2015, Anthem reported unauthorized access of consumer information, including member names, health identification numbers, birthdates, Social Security numbers, addresses, telephone numbers, email addresses, employment information, and income data. The breach was discovered by an employee – a database administrator who noticed his credentials were being used without his knowledge or consent. Since the data breach also included past enrollees, up to 80 million people had their personal information compromised. Anthem ultimately paid $39 million to resolve the ensuing litigation. 

It’s important to protect your business – and your customers – from data breaches. Currently, more than 30,000 websites are hacked every day. And the average total cost of a data breach ranged from a staggering $3.86 million to $4.24 million in 2021.  

Audiology practices – like other healthcare organizations and companies across all industries – must be aware of cyberthreats, including unauthorized system access, malware infection, and data corruption. For instance, hacking has consistently been the most common type of cybersecurity breach. The number of healthcare data hacking cases increases annually, mainly due to ransomware attacks. Network server breaches made up more than half (56.6%) of the healthcare data incidents in 2022, a significant increase from 26.2% of breaches in 2019.  

Cybercrime continues to increase each year and experts say this rising trend will never diminish, given the increased dependency on – and ongoing evolution of – technology. The rise in cybercrime is also leading to increased anxiety that some psychologists say may even rival traditional terrorism. 

Be mindful of the risks, assess your network to identify any potential vulnerabilities, and implement best practices to protect your business, employees, and customers. 

Your practice’s leadership must believe in the importance of cybersecurity efforts, integrate it into your company culture, and emphasize that it’s a corporate value. As part of this commitment, earmark appropriate funding and staff to cybersecurity efforts.

Include IT security in your organization’s strategic plan. Hire an onsite IT expert or partner with IT consultants. Conduct regular risk assessments. Invest in the proper equipment and infrastructure to keep your data – and your business – safe. 

Your clinic’s security is only as good as its weakest link, and that weakest link is often your employees. This isn’t to say that your employees are evil and mean to harm your business. On the contrary – they often make completely innocent mistakes that inadvertently put your company (and your data) at risk.

For instance, if they leave their laptop unattended in a coffee shop, a cybercriminal can quickly steal it – or copy the files onto a flash drive – before your employee orders their latte. If an employee uses a weak password – perhaps their dog’s name that they share freely on their social media sites? – a hacker can easily infiltrate your system. Hold internal cybersecurity training sessions to discuss employees’ roles in keeping your hearing clinic’s system and data secure. Educate your staff about the most common ways that cybercriminals try to target organizations and explain how they can help thwart these cyberattacks. 

Security experts agree that strong passwords are the best way to prevent unauthorized access into any computer system in your practice. While passwords alone won’t prevent hackers from trying to access your data, it can slow them down and/or discourage their attacks.

Strong passwords are not easily guessed, so avoid using names, birthdates, or other common words or number combinations, especially if that information can be easily found on employees’ desks or social media platforms.

Passwords should be at least eight characters (the longer the better) and contain a combination of upper case and lower-case letters, at least one number and one special character. Don’t write your password on Post-it notes or leave it anywhere on your desk or around your computer. Change your passwords regularly.  And don’t use the same password for all systems. 

Act as though a cyberattack is inevitable. What would you do if one occurred? The best strategy for your hearing clinic is to plan for a cyberbreach while working to prevent one. Conduct ongoing risk assessments to identify and address possible entry points and security gaps in your organization’s system.

It can be extremely valuable to hire an outside, objective IT expert to examine your system’s vulnerabilities so you can address and mitigate any risks. It’s also essential to develop a detailed incident response plan in case of a cyberbreach. While the details of the circumstance may vary, determine steps that you’d need to take, such as notifying impacted patients, regulatory bodies, etc.

Also, figure out (in advance) who would fill key roles, such as media spokesperson. Regardless of what happened, the goal will be to publicly demonstrate that the data loss is being handled responsibly and appropriately, and to communicate steps that you’re taking to prevent future breaches.  To learn more about crafting an incident response plan for your practice, check out this educational guideline. 

A lax approach to updating software – or making careless “patches” in your security – can expose your practice to unnecessary cyberthreats. When software updates are released, they can (unknowingly) signal to hackers if there are any vulnerabilities that can be exploited from the previous version. Understand that the tech environment – and, therefore, the cybersecurity threat environment – is constantly evolving. While your staff is busy seeing patients and can’t always have an eye on every possible tech threat, be aware that any delay in applying software updates can leave your business and data vulnerable.

Allow your system to check for – and apply – system updates automatically. If that isn’t feasible, develop a manual technique, using automated calendar reminders to ensure regular, ongoing follow-ups. For instance, check for and apply updates every Friday morning.  

Mobile devices – including laptops, smartphones, and tablets – have made our lives so much easier and more convenient, but they’ve also created new threats to confidential data, including patient records. Due to their mobility, these devices are easier to steal than the traditional desktop computer, so don’t leave them unattended – even for a moment – as they can be easily stolen, especially in public places.  Their increased capacity and internal memory mean that mobile devices can contain tremendous amounts of sensitive data.

It’s wise to keep all sensitive health data off mobile devices, but if that’s not realistic in your practice, make it mandatory that all the data be encrypted to keep it safer. There are other threats that are unique to mobile devices, as well. For instance, since they’re often used in public places, unauthorized viewing of confidential information should be a concern. And since all mobile devices aren’t necessarily equipped with strong authentication and access controls, you may need to take extra steps – including password protection and two-factor authentication – to secure mobile devices from unauthorized use. In a recent survey of global IT decision makers, 90% said their healthcare organization was implementing (or is planning to implement) a mobile device security initiative.  

Don’t recreate the wheel here. Leverage cybersecurity best practices that have been designed, tested and validated by cybersecurity experts. Using proven strategies, solutions, and technologies can help you keep your practice, systems, data, and other sensitive information safer. Also rely on gold standard risk assessment strategies to determine any vulnerabilities in your IT systems that hackers could possibly infiltrate. Do some research, talk to cybersecurity and IT experts, and find proven security processes to give your clinic the necessary protection you need. 

A common way that hackers access organizations’ computers is through viruses. Even computers with the latest security updates may still be at risk. Computers may also become infected by seemingly innocent outside sources, including email and web downloads.

Therefore, it’s important to use reputable anti-virus software that provides continuous protection against the latest computer viruses and malware. Be sure to install anti-virus software on all your computers! 

While anti-virus software will help find and destroy malicious software that has already entered your system, a firewall prevents dangerous intrusions from entering in the first place.

A firewall inspects all messages coming into your system from the outside and uses pre-determined criteria to determine whether to allow the message in. Clinics of all sizes – including even the smallest independent practices – should have firewalls to help protect them against damaging threats and intrusions. 

When you think of hackers, you probably think of criminal masterminds huddled over complicated computer systems, relentlessly trying to penetrate companies’ networks. In reality, though, many successful attackers walk through your front door, using the credentials of an authorized user, like what happened with the massive Anthem data breach.

System access controls should begin by granting each employee only the system privileges they need to execute their job effectively (referred to as role-based access control). For instance, someone working in the finance department likely doesn’t need access to confidential patient records, and someone working on the clinical side probably doesn’t need access to sensitive financial data. Also, make it standard protocol to promptly revoke system access whenever an employee leaves your organization.  

Your organization must secure your data, including digital health and financial records, and you must also secure the devices themselves from unauthorized access. Digital health information is frequently compromised through the theft and the accidental loss of devices.

When a computer, laptop, smartphone or other device disappears – even if an organization has taken every precaution to set up strong passwords, access control, etc. – a determined hacker could still access the information stored on it. Therefore, it’s critical to protect your devices to ensure that they won’t be lost, stolen, or accessed by unauthorized users. Best practices include limiting physical access to your clinic and devices, securing machines in locked rooms, restricting access to employees-only areas, and being selective about which employees have keys to your practice. 

It may be hard for honest, hard-working professionals to think like a cybercriminal, but it’s an important exercise. Take a good, hard look at your network, examining any areas of vulnerability where a hacker could enter.

As technology, systems, and processes continue to evolve, so do the risks to your business. Performing a technology risk assessment at least once or twice a year allows you to identify and remediate any potential new threats before they can be exploited by cybercriminals.

It’s a good idea to hire a third-party IT expert – who specializes in cybersecurity – to conduct a sweep of your system, looking for any security vulnerabilities. This expert can recommend any necessary steps to keep your system – and your data – safer. 

You can have all the best security, plans, and technologies in place to minimize the risk of a cybersecurity breach, but you can’t ever eliminate the risk altogether. While these tips are essential to help protect your hearing practice, it’s wise to also add cyber insurance to your insurance program.

Cyber insurance covers the costs associated with hacking, cyberattacks, and data breaches against your practice, so if you have a security breach, you’ll be properly protected against the potentially devastating financial fallout from the incident. It can be scary to think about, but it’s better to have it and not need it than need it and not have it.