Do Your Cybersecurity Polices Need a Checkup?
AAOSNow – March 2019
by Michael R. Marks, MD
When was the last time you reviewed your cybersecurity policies? If you can’t recall, you’re overdue. Such policies are critical for protecting patient and other sensitive data in your network and reducing the risk of breaches that can cause reputational harm, costly recovery, and patient disclosure activities.
Recently, I spoke with Michael J. Sacopulos, JD, founder and chief executive officer of the Medical Risk Institute, about the finer points of cybersecurity policies and why orthopaedic surgeons should take them seriously.
Dr. Marks: Orthopaedic surgeons are so busy treating patients and dealing with coding, billing, and management issues. How high should cybersecurity policies be on their priority list?
Mr. Sacopulos: Very high. Mostly because the protection of patient data is what is at risk if they aren’t prepared. But also because 2017 was the “worst year ever” for cybersecurity incidents, according to the 2018 Online Trust Alliance’s Cyber Incident and Breach Trends Report. The number of reported breaches was nearly double that of 2016. And 24 percent of those occurred in health care. Sadly, most practices are unprepared to deal with cyberattacks.
Just five years ago, practices could probably take a calculated risk and set their cybersecurity policy development aside, but it’s too risky to ignore these days. The most common weak spots in health care are lack of written policies and procedures, insufficient training, and lack of a risk analysis, according to cybersecurity expert James Scott. All of these are preventable, and preparedness starts with a policy.