Cybersecurity is a hot topic lately, particularly in the medical world. Cybersecurity refers to the defense against malware, which is any software that is intended to cause harm to your computer. In other words, anything nasty that is going to affect you. Malware can include:
According to an article from TechTarget,
These malicious programs can perform a variety of functions, including stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions and monitoring users' computer activity without their permission.
Personal Health Information (PHI) is a premium target for cyberattacks, and hackers will go to great lengths to steal it. Medical data is currently worth 10 times what financial data is worth to cyberattackers. PHI can refer to:
- Name, Address, Phone Number
- Social Security Number
- Date of Birth
- Insurance Information
- Medical Records, including test results
According to a recent article from Healthcare IT News, pediatric patient records are of especially high value when sold on the dark web. These records are often used to commit tax fraud.
If you’re like many people, you may tell yourself that this kind of thing happens to other practices and yours would never fall victim to a cyberattack. It’s time to change that thought pattern. Cybercrime is on the rise, and there are steps you can take to mitigate your practice’s risk. Often there are simple changes you can make that will have a big impact on increasing your security.
Many offices become targets of cyberattacks unintentionally.Here are some of the common ways staff may increase a practice's vulnerability:
- Opening emails that are from unknown senders, or that look suspicious in general.
- Clicking on a link in an email that redirects you to a malicious site.
- Not logging out or locking your workstation when you leave your desk. This creates an opportunity for someone to get into the computer using your credentials. Imagine you have a patient with malicious intent. A provider leaves the workstation in the exam room momentarily and doesn't lock the computer. In those few unsupervised moments, a patient could access all of your practice's data.
- Opening malicious texts. Some mobile phones are starting to receive malware via text message. Be very careful opening texts from unknown numbers.
- Working over an unsecured network. We know you would NEVER chart at a coffeehouse with free (unsecured) wifi, but just in case you need a reminder... NEVER chart at a coffeehouse just because there is free wifi! It is way too easy for people to access your data over these networks. The only exception to this recommendation is if you are sitting in the coffeehouse using your own VPN (Virtual Private Network) connection. If that's the case, feel free to chart away!
- Surfing the web at work. Even though no one would admit to surf time at the office, it happens. And malware can happen as a result. Even a trusted website can become compromised and then infect your office's computers when you unknowingly download malware. If you do go online, at least try to stick to reputable sites.
What are the bigger-picture things you can do to increase your practice's cybersecurity?
The #1 thing you can do is backup your data. Make it a business decision to have consistent backups. Make it as easy for yourself as you can. If it is easy, you are more likely to adhere to it. You can decide how you'd like to do it. For example, some offices do daily, weekly, and monthly backups to external harddrives. You could choose to alternate between two external hard drives so that if something happens to one, you'll still have the other. You may choose to store one onsite and one offsite in case of unforseen issues such as fire, flood, or theft. Your EHR vendor backs up all of your data, but it is imperative that you do your own local backups, particularly because anything that is not part of your vendor's product will not be included in your vendor's backups, e.g., Word documents you have stored on your practice's computers.
When deciding how to handle your backups, simply ask yourself, "How much data am I willing to lose? If something happens and I haven't backed up in a week, or a month, could I handle that? Can I handle even losing a day's worth of data?" It's important to ask yourself these questions before something happens. Comprehensive backups can also negate falling victim to a ransomware attack. If a cyberattacker is holding your data hostage and will only return it for a fee, you won't get stuck having to pay if you can walk away and start fresh with data restored from a backup.
Create an Acceptable Use Policy for your practice. These are important to have and to enforce. These policies explicitly state your practice's rules around computer use for all staff. They may dictate what times of day staff can go online (e.g., lunch breaks only, or during slow times at the office, or not at all), or what websites are allowed or not (e.g., personal email is alright, but social media is not allowed). You can decide what you want your policy to be, but it is important to have one and make sure that all staff understand and adhere to it.
Create a Disaster Recovery/Business Continuity Plan for your practice. It is important to have a plan in place in case the worst happens. You may think you would know what to do, but the stress and chaos of a real emergency may create confusion. If you have a written plan in place to fall back on, you will be ahead of the game. Ready.gov supplies lots of resources about these kinds of plans.
Make sure your devices are up-to-date with vendor updates. Many Operating System updates download and install automatically at night if your device is on, so you can stay updated with minimal effort. If you tend to shut your devices off at night, you'll need to make sure you manually update when necessary. You should also make sure to update plugins in web browsers such as Flash or Java.
Install Ad Blockers on your practice's computers. A majority of malware is introduced via ads on websites, so it is important to have some form of protection. Some sites won't allow you to view content unless you temporarily disable your ad blocker. You should exercise caution in this case, and only disable your ad blocker on reputable sites. Even then, you won't have 100% assurance that you are safe from malware.
Make sure all of your mobile devices are encrypted. The #1 data breach is theft of a mobile device. When you encrypt your devices, even if someone rips out your hard drive they still will not be able to get the information on it. PCs and Macs are not encrypted by default, so you need to go into the Control Panel and turn encryption on. Mobile phones are encrypted by default. You can use a PIN or Pass Phrase with these devices.
Use good passwords. Hear us when we say, 1234 is NOT an acceptable password! The best passwords are long phrases that are easy for you to remember. Rather than a random group of words, make it a phrase. Throw in a number or punctuation mark. Better yet, use a substitution like "2" instead of "two." 8 characters is the standard length for a good password, and 10 is even better. Password managers tend to have just as many security issues as any other site, so using a phrase you can remember versus having to store somewhere is the way to go. Please don't use the same thing for your username and your password. And last but not least, don't use the same password for every site you visit. All of this may seem like obvious advice, but a surprising number of people do not adhere to it.
Use Endpoint Protection. That means things like anti-virus software or anti-malware software. There are lots of product options out there, just make sure you get something and use it.
What should you do immediately if your practice is the victim of a cyberattack?
Worst-case scenario, you arrive to your office one morning to find all your data is inaccessible due to a ransomware attack or a virus. Here is what you should do:
- Get all your computers off the network
- Shut down your wireless
- Unplug any computers with a hard connection
- Call your local IT provider
- Call the FBI if you are dealing with ransomware
- Let your EHR vendor know right away
And most importantly, learn from your experience in order to inform your future actions and decisions.
Here at PCC, we provide the utmost protection for our clients. Cybersecurity is our priority, and our expertise. Just a few of the many things we do to stave of cyberattacks include:
- Backing up all our clients for disaster recovery and other purposes
- Providing multi-level protection, including firewalls that scan for viruses and malware
- Scanning email for malware
- Maintaining patches on our servers