Protecting patient data: Cybersecurity best practices for primary care physicians

© Summit Art Creations - stock.adobe.com

Recent studies suggest that cybersecurity attacks on health care systems are increasing — by October 2024, over 380 successful attacks were reported to have affected the medical industry alone.

This number may not seem large enough to be noteworthy; however, every attack on a health care body is potentially putting patient data — and therefore the patients themselves — at risk. For example, ransomware, malicious code that can lock health care systems, can prevent people from receiving the care they desperately need.

However, protecting patient data doesn’t fall just to organizations. It’s just as important for physicians to practice effective data sensitivity and handling so vulnerable people are always protected.

Understanding patient data and their vulnerabilities

Michael Aminzade
_{© VikingCloud}

Patient data are not sensitive just because of the nature of the information stored. They are also highly sought after by cybercriminals. Around 67% of health care bodies reported ransomware attacks — successful or otherwise — alone in 2024.

Various studies also report that of all data, those that relate to the health care industry are particularly vulnerable to attacks. This is due in part to both the sheer amount and variety of data held on patients and the various different devices physicians and health care providers use to process them.

Patient data are not only highly desirable but also prone to attack and stealth on a worrying scale. Therefore, not only do health care networks and devices need to be robust against emerging attack patterns, but physicians and practitioners also need to practice good data protection principles.

One of the most effective ways of protecting health care data is to run regular penetration tests, where security specialists run test attacks on systems to assess their robustness. Before that, however, following general data protection principles from day to day is vital.

Navigating the regulatory landscape

Health care data in the U.S. are protected to a federal extent by the Health Insurance Portability and Accountability Act of 1996, otherwise known as the HIPAA privacy rule.

Specifically, this regulation standard ensures that health information (as is termed) is protected in line with patient expectations. For example, the regulatory landscape expects health care providers to explain and explore the ways in which patient data can be stored and shared with the patients themselves.

There are, of course, other privacy laws that affect patients and health care providers. For example, in some cases, health care providers need to gain consent from patients for their data to be shared with others.

For the most part, this is to ensure that patients have total say over who gets to use their personal and often highly sensitive details. However, such laws and regulations can often make or break whether or not treatment goes ahead.

HIPAA can override privacy laws to an extent, but it is still the responsibility of health care providers and those who access data to ensure patients understand how their information is used and why.

Regardless of the regulatory landscape, it is now more important than ever for individuals and organizations to manage patient data as carefully as possible and to consider individual needs.

Practical cybersecurity best practices for physicians

Although it often falls to hospital and clinic administrators to ensure their systems and networks are secured against cyberattacks, there are a few physical ways in which physicians can ensure patient data are as protected as possible, as follows:

• Lock and secure devices that are not in use: Cybercrime can occur from within as well as outside of an organization. Therefore, physicians should always secure any hardware or software they use so no one unauthorized gains access.
• Use advanced passphrase security: Physicians should consider setting up multifactor authentication to secure devices so that only authorized individuals have access. It’s also wise to consider using passphrases that are at least 15 characters long and using advanced security such as biometric authentication (e.g., touch or face recognition).
• Avoid installing unknown software: Ideally, physicians should use only software and tools that are pre-authorized by administrators. Installing third-party software could lead to the introduction of malware into a network and therefore put patient data at risk.
• Be prepared: It is, sadly, easy to assume that most antivirus and antimalware suites will take care of malicious threats as soon as they arise. However, it’s good practice for physicians to have a backup plan in place to restore data where possible. For example, making data backups and being able to restore them from a cloud environment can be advantageous.
• Use firewalls and industry-standard technology: It’s vital for physicians and other health care providers to use firewalls to protect any data they access — and to update software and technology regularly. Outdated technology can be extremely vulnerable to opportunistic hackers.

Communicating security to patients

Patients, too, should follow basic data protection practices to ensure their information remains private. Physicians, as mentioned, do have some regulatory expectations whereby they need to communicate with patients how they intend to store and use data.

However, physicians should also communicate to patients that because of the sensitive nature of their information, they should be particularly vigilant.

Advice physicians might offer to patients could include the following:

• Encouraging the use of secure passwords with health care apps
• Ensuring patients know what data are stored and why they are at risk
• Advising caution regarding emails and communications sent by people reported to be health care providers
• Ensuring patients know to never share passwords or sensitive data with others, even if requested

The third and fourth points here are particularly valuable — social engineering is a major threat to health care data, alongside ransomware.

Conclusion

Patient data are some of the most sensitive data that companies store — and it is often down to the individual physician to handle them with care.

Threats to patient data are never going away, which is why it’s more important than ever for physicians and providers to act intelligently with regard to storing and protecting their information.

Some of the advice raised in this guide will offer physicians a good starting point — but it’s always wise to work with cybersecurity professionals to lay down a solid framework.

Michael Aminzade is vice president of Managed Compliance Services at VikingCloud and has over 26 years of experience within cyber, information security and compliance industries. His experience covers the full spectrum from internal information security, where he has been the chief information security officer for a large global service provider, to running large global consulting teams.