Cybersecurity is a hot topic lately, particularly in the medical world. Cybersecurity refers to the defense against malware, which is any software that is intended to cause harm to your computer. In other words, anything nasty that is going to affect you. Malware can include:
According to an article from TechTarget,
These malicious programs can perform a variety of functions, including stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions and monitoring users' computer activity without their permission.
Personal Health Information (PHI) is a premium target for cyberattacks, and hackers will go to great lengths to steal it. Medical data is currently worth 10 times what financial data is worth to cyberattackers. PHI can refer to:
According to a recent article from Healthcare IT News, pediatric patient records are of especially high value when sold on the dark web. These records are often used to commit tax fraud.
If you’re like many people, you may tell yourself that this kind of thing happens to other practices and yours would never fall victim to a cyberattack. It’s time to change that thought pattern. Cybercrime is on the rise, and there are steps you can take to mitigate your practice’s risk. Often there are simple changes you can make that will have a big impact on increasing your security.
Many offices become targets of cyberattacks unintentionally. Here are some of the common ways staff may increase a practice's vulnerability:
The #1 thing you can do is backup your data. Make it a business decision to have consistent backups. Make it as easy for yourself as you can. If it is easy, you are more likely to adhere to it. You can decide how you'd like to do it. For example, some offices do daily, weekly, and monthly backups to external harddrives. You could choose to alternate between two external hard drives so that if something happens to one, you'll still have the other. You may choose to store one onsite and one offsite in case of unforseen issues such as fire, flood, or theft. Your EHR vendor backs up all of your data, but it is imperative that you do your own local backups, particularly because anything that is not part of your vendor's product will not be included in your vendor's backups, e.g., Word documents you have stored on your practice's computers.
When deciding how to handle your backups, simply ask yourself, "How much data am I willing to lose? If something happens and I haven't backed up in a week, or a month, could I handle that? Can I handle even losing a day's worth of data?" It's important to ask yourself these questions before something happens. Comprehensive backups can also negate falling victim to a ransomware attack. If a cyberattacker is holding your data hostage and will only return it for a fee, you won't get stuck having to pay if you can walk away and start fresh with data restored from a backup.
These are important to have and to enforce. These policies explicitly state your practice's rules around computer use for all staff. They may dictate what times of day staff can go online (e.g., lunch breaks only, or during slow times at the office, or not at all), or what websites are allowed or not (e.g., personal email is alright, but social media is not allowed). You can decide what you want your policy to be, but it is important to have one and make sure that all staff understand and adhere to it.
It is important to have a plan in place in case the worst happens. You may think you would know what to do, but the stress and chaos of a real emergency may create confusion. If you have a written plan in place to fall back on, you will be ahead of the game. Ready.gov supplies lots of resources about these kinds of plans.
Make sure your devices are up-to-date with vendor updates. Many Operating System updates download and install automatically at night if your device is on, so you can stay updated with minimal effort. If you tend to shut your devices off at night, you'll need to make sure you manually update when necessary. You should also make sure to update plugins in web browsers such as Flash or Java.
A majority of malware is introduced via ads on websites, so it is important to have some form of protection. Some sites won't allow you to view content unless you temporarily disable your ad blocker. You should exercise caution in this case, and only disable your ad blocker on reputable sites. Even then, you won't have 100% assurance that you are safe from malware.
The #1 data breach is theft of a mobile device. When you encrypt your devices, even if someone rips out your hard drive they still will not be able to get the information on it. PCs and Macs are not encrypted by default, so you need to go into the Control Panel and turn encryption on. Mobile phones are encrypted by default. You can use a PIN or Pass Phrase with these devices.
Hear us when we say, 1234 is NOT an acceptable password! The best passwords are long phrases that are easy for you to remember. Rather than a random group of words, make it a phrase. Throw in a number or punctuation mark. Better yet, use a substitution like "2" instead of "two." 8 characters is the standard length for a good password, and 10 is even better. Password managers tend to have just as many security issues as any other site, so using a phrase you can remember versus having to store somewhere is the way to go. Please don't use the same thing for your username and your password. And last but not least, don't use the same password for every site you visit. All of this may seem like obvious advice, but a surprising number of people do not adhere to it.
That means things like anti-virus software or anti-malware software. There are lots of product options out there, just make sure you get something and use it.
Worst-case scenario, you arrive to your office one morning to find all your data is inaccessible due to a ransomware attack or a virus. Here is what you should do:
And most importantly, learn from your experience in order to inform your future actions and decisions.
Here at PCC, we provide the utmost protection for our clients. Cybersecurity is our priority, and our expertise. Just a few of the many things we do to stave of cyberattacks include: