Excerpted from page 14 of the September/October 2022 edition of AOA Focus.
An ever-present threat of emerging malware targeting critical U.S. infrastructure, including the health care industry, keeps federal watchdogs on alert and emphasizes the need for cybersecurity refreshers.
Earlier this year, the Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency and the FBI released a joint Cybersecurity Advisory over evidence of new malicious cyber tools threatening industrial controls and data acquisition devices within the U.S. At the same time, the Russia-Ukraine war prompted federal authorities to appeal for vigilance against retaliatory cyber strikes, with the Department of Health and Human Services admonishing hospitals and health care networks to be wary.
“We’ve been telling everybody consistently, shields up,” noted Jen Easterly, CISA director, in a CBS “60 Minutes” interview in April. “What does that mean? It means assume there will be disruptive cyber activity and make sure you are prepared for it.”
October is Cybersecurity Awareness Month, an opportunity to engage and educate businesses about the importance of cybersafety and increase resiliency in the event of a cyber incident. Sponsored by the Department of Homeland Security and in cooperation with the National Cyber Security Alliance and others, the awareness month is a prime opportunity to assess your own cybersecurity protocols and identify areas for improvement.
While strengthening optometry practices’ resilience to cyberthreats can seem daunting, there are several steps that practices can take to mitigate their risk now. AOAExcel® Endorsed Business Partner Lockton Affinity, providing cyber liability insurance options specifically designed for AOA members, as well as the CISA offer several steps for practices to bolster their cybersecurity:
Implement password protocols.To better protect your systems, consider applying stronger password protocols that include 12+ characters; require a combination of letters, capitalizations, numbers and symbols; require different passwords for each account or service; incorporate rolling updates to prompt users to change passwords either monthly or quarterly; and update passwords when a personnel change occurs, Lockton Affinity notes.
Incorporate a multifactor authentication (MFA) process.But don’t just stop at strong passwords; two-factor authentication or MFA essentially requires users to acknowledge their login credentials via a phone call, text message or app notification after correctly entering their password. The CISA recommends MFA for all system users, but starting with privileged, administrative and remote access users is essential.
Leverage automatic system updates and regular patches.Instead of simply clicking “snooze” on prompts for regular system updates, be sure to allow these automatic updates to occur whenever possible, as these ensure your technology is enabled with the latest versions of operating systems and applications. Often these patches are pushed to fix bugs or correct vulnerabilities that may have arisen due to new information. Moreover, conduct an inventory of device operating system (OS) versions and applications, and check with your IT company to make sure updates won’t impact any of your systems, Lockton Affinity notes.
Likewise, the CISA recommends removing unsupported or unauthorized hardware and software from your systems immediately—and that’s where keeping an inventory of devices can help. Unsupported OS versions no longer receive these automated updates or patches, meaning they could quickly become vulnerable to new and developing cyber threats.
Consider basic cybersecurity training for all staff.In addition to system safeguards, it’s also important to develop a culture of awareness and vigilance among practice employees. The CISA recommends incorporating regular training with employees, regardless of technical expertise, to help reinforce their role in safeguarding business systems and suggest actions they can take to mitigate risk. Training should focus on common threats, such as email scams, basic do’s and don’ts of internet use, and how to recognize and alert others to suspicious activity.
“Continually reinforce cyber hygiene as you would other workplace hygiene, e.g., handwashing, professionalism, etc.,” the CISA says.
Practices can access such cybersecurity resources and education tools.
Consider working with cybersecurity professionals.In addition to working with a cybersecurity firm to conduct a comprehensive risk assessment of your practice’s network or systems, doctors may find peace of mind through cyber liability insurance. Through AOA membership, doctors have access to cyber liability insurance administered by Lockton Affinity. This policy helps cover the costs associated with notifying all affected parties, ongoing credit monitoring, outside investigations and more.
AOAExcel’s endorsed business partners
As an AOA member, you can leverage the products and services of AOAExcel’s endorsed business partners for your practice or clinic needs, such as cyber liability insurance administered by Lockton Affinity.
AOA leaders mobilize resources for contemporary practice expansion and growth fueled by recent scope and recognition victories.
When a trendy request for window tinting doesn’t jibe with your medical judgement—or state requirements—how do doctors legally and ethically navigate this dilemma? Find out in the latest AOA Ethics and Values case study.