If you pay even the slightest attention to the news you know that medical practices have become a huge target for criminal computer hackers. You also probably know about the potential negative impact that a data breach could have on your medical practice, including loss of money, time, and most importantly loss of trust that patients have placed in you and your organization.
- 71% of data breaches happen to business with less than 100 employees.
- 60% of small business go out of business after a data breach.
- Ransomware is a real threat to medical practices.
- Employees are your weakest link. 95% of data breaches are caused by employee mistakes.
- Data breaches can lead to an Office of Civil Rights investigation for HIPAA compliance.
One common method of attack is to install ransomware. Once a medical practice’s system has been compromised, all of the patient files are held hostage until ransom is paid. These attacks often happen because an employee clicks on a sketchy email. But there are other often nebulous ways that criminal computer hackers can enter your systems.
Here are 10 tips to protect your medical practice from a cyber attack.
- Make sure the entire staff is properly trained on healthcare security protocols.
- Use secure passwords.
- Don’t delay software updates.
- Control access to protected patient data.
- Perform regular data backups.
- Deter insider threats.
- Encrypt data.
- Maintain a layered defense system.
- Make sure you have the best cybersecurity software and hardware.
- Assess the risk and have a contingency plan.
The weakest cyber security link in your medical practice is the user. Training is mission critical. If you can’t supply this yourself, make sure you bring in a consultant who can provide training on the latest security protocols.
Password best practices include:
- Use strong passwords.
- Make the password at least 8 characters long and include numbers, capital letters and symbols.
- Don’t use words that are in the dictionary.
- The strongest passwords are a passphrase. Use a phrase like “I went to elementary school in New York City in 1972” and then use the first initial of each word to create your passphrase “Iw2EMSiNYC1n1972#”.
- Change passwords every 60 to 90 days.
- Don’t post your password in plain sight or in a file labeled “passwords” on your computer.
- Consider using a password manager.
- Consider using multi-factor authentication.
We all understand that software updates are annoying since they require computers to be offline for a bit. However, neglecting to get the latest version of your outdated software leaves you and your devices much more vulnerable to attack. This is especially true of your websites. Hackers take advantage of those who don’t update software when updates are available.
Minimize the amount of access that an employee or contractor has to patient data. Make sure that individuals only have access to what is needed to perform their job function.
Backing up data will protect your medical practice from data loss due to damaged servers or ransomware. Automated backups should encrypt and copy data offsite. Make sure that data backups are routinely tested to ensure you can recover the data.
Insider threats are a leading cause of HIPAA data breaches. Insider threats include employees or contractors that access patient information without authorization. To deter insider threats, follow these best practices:
- Minimize the amount of access employees and contractors have to patient data.
- Periodically review the level of access for each employee and contractor.
- Ensure that there is system auditing in place.
- Periodically review system audit logs.
- Make sure your staff knows that system auditing is in place as this will minimize insider threats.
The best way to protect sensitive patient information is to use encryption. Many medical practices don’t realize how much patient information is on mobile devices. Sensitive patient information could be in emails, spreadsheets, documents, PDF files and scanned images.
If you have layered security protocols in place, even if an attacker breaks through one layer they still won’t be able to access the protected data and your medical practice might be able to identify a full cyber attack before it’s complete. A layered cyber security defense system would include:
- Strong passwords
- Updated software
- Remote backups
- Physical security – locked doors, security guards, surveillance equipment
- Antivirus software
- Robust firewall
Make sure to use software from companies that prioritize cyber security in their software. Also invest in a next-generation firewall to protect all data and your systems and deploy the latest in anti-malware detection.
A security risk assessment (SRA) is a critical step to understanding the risk to your practice and patient information. Not only is it required under the HIPAA Security Rule, but it has the following benefits:
- An SRA will inventory patient information, identify how you are currently protecting the data, and make recommendations on how to lower risk.
- An SRA will help you understand the risk of phishing scams and ransomware, the dangers of lost mobile devices, and the risks of insider threats.
- An SRA provides documentation you need as evidence that you have considered all of the risks.