There is no denying that cyber threats across all industries are on the rise, reaching unprecedented numbers following the COVID-19 pandemic shutdown. The health care industry is no exception, with over 37 million individuals reportedly having their protected health information breached in 2021.

Unlike many other industries, when a health care entity experiences a cyberattack, not only does the attack disrupt business operations and utilize resources (e.g., financial, staff, and time), but such attacks can also have a negative impact on patient care and outcomes. Thus, for those practicing in the health care industry, taking steps upfront to protect and secure electronic data is of the utmost importance.

Here are five things that health care providers can do on the front end to help reduce the risk of cyberattacks and breaches of the protected health information they maintain.

1. Train Employees on Cybers​ecurity.

One of the best ways to prevent a cyberattack is to train employees how and where to properly store health information (i.e., what systems and drives can securely store patient information), how to recognize a threat (i.e., what are the characteristics of a suspicious email), and how to respond to a threat (i.e., who to notify and how quickly).

Training focused specifically on cybersecurity, combined with training on HIPAA privacy and security compliance, can drastically reduce the likelihood of an attack. Research has indicated that unintentional employee actions account for a significant percentage of data breaches, so training employees on how to recognize and prevent suspicious activity should be the first line of defense.

To carry out a cyberattack, threat actors must gain access to an entity's electronic system. If your system has adequate firewalls and security measures, the easiest point of entry for the threat actor is through “tricking" an employee (for example, by way of a phishing email) to allow the actor onto the electronic system. Thus, training employees to recognize a threat will help reduce the risks.

Training should be conducted upon hire and at least once a year. Training should be documented, including a copy of the training, when it took place and who attended. Such documentation should be retained for at least six years. If a cyberattack does occur, providing evidence of such training will be important in proving compliance with regulatory requirements.

2. Require Two-Factor Authenti​cation for Remote Access.

As more employees are shifting to working from home and accessing systems remotely, there is an uptick in cyberattacks when systems are not properly secured for remote access. One of the easiest ways to secure remote access is to require two-factor authentication for employees working from home. Not only does this require the employee to type in a username and password to gain access, but they also must gain access codes from an app on their mobile device or by answering an automated call to a designated phone number. We are seeing a number of cyberattacks that could have been prevented with two-factor authentication.

3. Store Data Appropriately.

It is highly recommended that health care entities only store protected health information in secure, password-protected databases (e.g., an electronic medical record system or a practice management system) and never directly on a hard drive. Having patient information behind an added layer of security lessens the risk of a breach of such information if an unauthorized individual gains access to your organization's physical computers or hard drives. Alternatively, if the information is stored on hard drives and easily accessible to anyone with access to the devices, there is an increased likelihood that the information will be breached.

4. Update Computer Software and​ Security Measures.

Update software as frequently as possible and implement the most recent security measures available. As threats evolve, older versions of software are more vulnerable and subject to attack. In response, software companies often push out updates and security patches. Make sure to update software with these latest measures to help reduce the risk of an attack.

5. Adopt an Incident-Respo​nse Plan.

While not necessarily a preventative measure, having an adequate incident-response plan in place can ease a few headaches when a cyberattack occurs. Know who is on your incident response team and how you can contact the members of the team outside of business contact information, which may be inaccessible during an attack. Be familiar with your incident-response policies and procedures so you can activate them quickly. The sooner you can stop the attack, investigate it, and mitigate the harm, the better off you will be.

Along those same lines, know where your health care data is stored and back up such data frequently. Knowing where the information is stored will help advisors analyze the attack quickly and efficiently to determine if reporting obligations exist.

Breach reporting obligations exist at both the federal and state level, including specific timeframes in which the breaches must be reported. Compliance with these timeframes rests on being able to quickly identify where information was stored and what information was breached. Backing up your data frequently will allow you to get your systems restored quickly, which can impact your ability to provide timely and adequate patient care.

Kelli FlemingWhile cyberattacks are an ongoing risk of doing business these days, health care providers can reduce the likelihood of an attack and make their systems less vulnerable. It is highly recommended that all health care entities take these five steps to help prevent and protect against cyber threats.

Kelli Fleming is a partner at Burr & Forman LLP, practicing exclusively in the firm's Health Care Industry Group. Fleming is based in Birmingham and can be reached at kfleming@burr.com​.​