Cybersecurity is an increasing problem across every industry. Healthcare is no exception. But the risks that healthcare organizations face from suffering a data breech are far worse.
You house all of your patient’s sensitive health information. A breech would be catastrophic for your entire practice, not to mention your patients.
Evaluating what security measures your practice has in place should be done frequently. But where do you start? How do you know what is protected and what runs the risk of being hacked?
HealthIT.gov published a list of 10 best practices for small practice cybersecurity. Follow these and prevent a data breach from happening to you.
1. Use strong passwords and change them frequently
As we all know, having a strong password is your first chance of preventing unauthorized users from gaining access to your systems. Here are the do’s and don’ts for strong passwords, according to HealthIT.gov:
A strong password should:
- Be at least 8 characters long
- Have a combination of lower and upper case letters, a number, and a special character.
A strong password should NOT include:
- Any word found in the dictionary
- Any personal data, such as a name, birth date, even a name of your pet.
Most systems require that users change their passwords every few months. Make sure your system is configured this way to prevent any loss of security.
2. Install and maintain anti-virus software.
Using anti-virus software is easy to do and is relatively inexpensive. And a whole lot less expensive when you consider the risk it’s combatting. Make sure that your anti-virus software is up to date and running regularly.
3. Use a firewall.
A firewall will help prevent any unauthorized users from accessing your system. There are two types of firewalls: software and hardware. A software firewall is easier to use and generally comes with pre-configured criteria for determining security. A hardware firewall should be used by practices that use a Local Area Network (LAN).
4. Control access to protected health information.
HealthIT.gov explains that access to protected health information (PHI) should only be granted to those who need to know it. This is sometimes hard to define, but ultimately, only those that are directly involved with certain aspects of patient’s care should be set up to access it. For example, a scheduler can be set up using role-based access control. This means that the scheduler can only access a patient’s demographic information, and not their sensitive health information. Keeping these security measures in place helps avoid a HIPAA breach and resulting complications.
5. Control physical access.
When trying to reduce the risk of cybersecurity, it’s important to keep in mind that a breach can occur if the physical equipment is lost, stolen, or tampered with. Keep servers in a safe and secure place that is protected from unauthorized people as well as environmental elements such as fire or water damage.
6. Limit network access.
For practices that rely on wireless networks, this is crucial. You must make sure your wireless router is operating only in encrypted mode to prevent any unauthorized users from gaining access to it. Another area of caution is peer-to-peer applications such a file sharing or instant messaging. The best practice to follow here is to prevent any staff from installing applications without approval. These applications run serious risks of being compromised, even after they have been uninstalled and no longer used.
7. Plan for the unexpected.
Accidents and unplanned issues will arise. Be prepared for a power loss or a computer shutdown by ensuring your EHR is backed up regularly. Cloud computing is a good option when considering where to store backup data.
8. Maintain good computer habits.
Uninstall any applications that are not pertinent to running the practice. This reduces the risk of threat and eliminates unproductive activities. Disable remote file sharing and printing within the operating system to prevent an accidental breach. It is also important to maintain software management. Some practices regarding this include: disabling former employees accounts and access, archive old data files for storage, when removing old computers and equipment make sure they are wiped completely of all existing data, and ensure all software that is not needed is uninstalled.
9. Protect mobile devices.
Be very wary about using mobile devices in your practice; their ease of use and portability run huge risks for cybersecurity. And if a physician must take their work home with them, the same rules for cybersecurity apply.
10. Establish a security culture.
Ensuring your practice is safe from security breaches must start with establishing a security culture. All staff must be trained on policies and security procedures. Physicians and office manages must set good examples by being stringent on security measures and expecting accountability from their medical staff.
While the threat of a medical security breach in your practice has a low perceived risk for some, don’t just think, “that can’t happen to me”. No one is immune to data breeches, and it is always best to be prepared for the worst case scenario.