Preparing your Physical Therapy Office for a Cyber Attack

 

Yes, the title of this blog may sound ominous. However, it’s imperative that you find ways to prepare your office – including yourself and your employees – against a potential cyber attack. Protecting client and employee information has always been necessary. The adoption of more digital access points means more information is online … and it needs safekeeping.

Finding the best ways to store and protect your information is key in ensuring your clinic’s longevity and overall success, but how can you do it … and where should you begin?

Start by Understanding Where Cyber Attacks Happen

In 2020 alone, there were nearly 600 total healthcare information breaches, affecting more than 26 million people. Up more than 55% from 2019, this year over year rise is meaningful.

When outside entities attempt to breach healthcare information, it puts patients and their families at risk. HIPAA exists for a reason. Patient health information is meant to be private.

What are these hackers after?

Personal data, for one. Medical records contain a great deal of unique patient information, including the following.

• Social Security numbers
• Birthdates
• Home addresses
• Phone numbers
• Emergency contact information
• Bank account / credit card numbers

Protecting your clients means more than keeping them physically safe. It also must include keeping their information – and their identities – confidential, too.

It’s also important to know that these breaches don’t just impact smaller businesses; larger medical facilities and practices feel the effects, too. When healthcare information is compromised, there are financial implications to assessing the breach and fixing it.

How Much Do Cyber Attacks Cost a Physical Therapy Office?

Aside from the need to strengthen online information security, there are costs associated with patient notification, too. When a data breach occurs, it’s the duty – by law – of your practice to notify patients that their information may have been compromised. These notifications are not cheap, either; some may cost upwards of $400 per patient.

Another thing to consider? Clinics pay this per-patient cost with every suspected breach. This makes even one incident catastrophic for physical therapy clinics.

The larger the clinic, the more people you’ll need to reach out to. Even something as simple as an outsider breaching an email database is significant. This event has the potential to disrupt your practice.

Don’t let this happen. Take the first step and get a cybersecurity expert to assess your practice, and your currently implemented safety measures.

Preparing for a Cyber Attack Begins With Your Employees

In many cases, increasing safety and awareness begins with staff education. It’s recommended to hold yearly training sessions for employees. This is a time to familiarize them with new, potential issues. These sessions often cover

• Phishing scams
• Increased password protection
• Updated encryption measures
• Using more sophisticated options for protection

These options include the use of a VPN (Virtual Private Network), multi-factor authentication and consistent methods for disposal of outdated information and equipment.

Finding the gaps requires a careful eye, so bringing an expert in is recommended, because not everyone knows what to look for. It sounds like a great deal of work, but to ensure patient and employee information security? It’s just the beginning.

Protecting Patient Information: The Next Steps

First and foremost, everything implemented must be HIPAA compliant.

This means signed BAAs and end-to-end encryption for all software, applications, platforms, and website content that host or display patient health information like:

• Online forms
• Email
• Phone calls
• Texts
• Payment processing
• Hosted PHI (online appointment requests, ‘contact us’)
• Telehealth solutions

Taking the time to ensure each of these is – and remains – compliant helps protect both patient information security and your practice in the long run.

 

Rising Concerns for Cyber Attacks Due to Telehealth Use

With more clinics implementing virtual care options over the past year, concerns with the use of the services rose, too.

With the quick onset of the COVID-19 pandemic, practices scrambled to find effective solutions to continue patient care. For many, the quickest, easiest solutions were unsecure video platforms. However, these are not the only solutions available.

Under the public health emergency and long after it expires, Telehealth appointments need to be HIPAA compliant.

As more is learned about the function and use of Telehealth platforms, HIPAA compliance becomes possible. Using – and offering – this service to your clients won’t increase the risk of a cyber security breach, especially if you use a reputable and tested provider.

In simple terms, the same security conditions apply to both virtual Telehealth visits and in-clinic patient sessions.

One option to ensure HIPAA compliance? BetterPT.

The benefits of the BetterPT platform are numerous, but some of the most useful are:

• Secure appointment requests, replacing unsecured online forms

  • These secure forms are comprehensive, easy to understand – and even easier to access.

• Patient self scheduling options for in-office and virtual appointments

  • Not only can patients trust that their information is safe, this allows them to choose when and where to receive care.
  • Scheduling appointments via the platform eliminates confusion. Patients have the ability to log in at their convenience and schedule, change or update sessions.
  • Sessions are immediately added to the clinic and patient calendars. Reminder cards and printouts aren’t necessary.

• Digital patient on-boarding, including insurance and basic health information

  • Patients can answer questions in the comfort of their own homes, without needing to speak to anyone face to face. This provides time for them to think carefully about answers to all questions.
  • Easily (and securely) store, access, and change information as necessary.
  • Instead of flipping through thick stacks of paper, physical therapists have all necessary information before patients arrive.

• Dashboard to manage all patient appointment requests

• Secure, automatic email and text reminders

  • Automatic reminders mean fewer opportunities for patients to miss phone calls or misplace appointment reminder slips. They are customized to meet individual needs. (For example, setting reminders at different times for different patients – one day early, 72 hours early, etc.)

• Cloud-based video capability with recording

The entire platform and each feature is HIPAA compliant, safe and secure. This makes BetterPT an asset to any physical therapy clinic, provider, or network.

But no matter how safe and compliant your system is, there is always risk. How should you address it?

Risk Mitigation of Cyber Attacks for Physical Therapy Practices

The vulnerability of healthcare related businesses increases simply because of the large amount of patient data within the system at any given time. Since your goal is to retain your current patients and acquire new ones, it’s impossible to think about having less patient data.

So, protect what you have – and make a plan for the future, too.

Protecting your current investments and assets is important, but how can you ensure that you’ve done everything you can when it comes to preparing your physical therapy office for a future cyber attack?

Simple.

Through an insurance policy with very specific coverage.

Protect Your Patients and Your Business with Cyber Liability Coverage

HIPAA compliance is mandatory in everything you do. However, when it comes to protecting your clinic from a cyber attack or data breach, cyber liability is a best practice. It’s important to understand what it offers and how this stand-alone coverage is different from your medical malpractice insurance.

Key components of cyber liability coverage include :

1. Security and privacy liability: investigations from a regulator or getting sued by a patient
2. Security breach response: coverage for crisis management and breach response
3. Cyber extortion and ransomware: victim’s data (PHI) is held until a ransom is paid

One company that offers this type of coverage is CM&F Group, and you can learn more about their cyber liability coverage here.

Are you protected?

Many healthcare entities have no cyber liability coverage or very limited coverage.

Don’t let your practice fall into one of these categories.

Do your research.

The experts at CM&F Group are ready to help, with easy, cost-effective plans for every healthcare professional. Protect your business with award-winning coverage that includes,

• Up to $1 million in coverage
• 24/7 access to DataSafe portal and customer service
• Free cyber risk report
• Online training for you and your employees

If you’re still on the fence about implementing a cybersecurity plan, think about this:

According to TechInsurance.com, the cost of purchasing stand-along cyber liability for $1 million is coverage can cost less than notifying only 4 patients of a breach. Protecting your patients – and doing what you can to ensure their safety – is your number one priority as a healthcare provider.

They’re already entrusting their health to you – and personal information goes hand in hand.

Seeking advice and information helps to put you on the right path, but every business is different. Get a quote from CM&F Group today.

 

Want to learn more about cyber liability insurance, and the ways that you can prepare your physical therapy office for a cyber attack? Fill out the form below to view a recent webinar!