Re: Walmart Health: Just had a great dental visit this morning, which was preceded by helpful reminders from Epic, and…
Six (Inexpensive) Steps to Better Cybersecurity for Your Practice
By Lance Hayden
Physicians have a lot on their plates. Running a practice means combining the daily requirements of managing a complex business with commitments to patient care and treatment. Factor in the often daunting regulatory and technology environments of healthcare, and one can understand why practices may sometimes feel a bit overwhelmed. It’s no big surprise when physicians worry about how to address cybersecurity concerns on top of everything else.
Recent media coverage has put a spotlight on healthcare security. From large security breaches where medical records were stolen, to frightening ransomware scenarios where entire organizations find themselves in a hostage situation with their systems and data, healthcare providers increasingly find themselves wondering, “Could we be next?”
A typical medical practice also faces budget constraints and limited resources to take on new IT security projects. Many doctors feel they lack the knowledge and skills necessary to fully understand security concerns, much less mount an adequate defense against sophisticated hackers and cyber criminals.
Without the confidence to know they are putting effort and resources into the right areas, too many practices fall back on a wait-and-see strategy, or focus only on the “checkbox security” of minimum compliance standards that can pass an audit but may prove inadequate for defending against determined cyber threats. Unfortunately, apathy can set the stage for an attack, which can be followed by chaos and loss if a practice does gets hit with a security incident.
The good news is that it doesn’t have to be this way. Although many physicians worry that security can only be achieved through expensive technologies or consultants, the fact is that the majority of security incidents are not the result of super hackers working technological magic.
Implement a Healthier IT Lifestyle
Security researchers have found that most attacks are preventable; they take advantage of known vulnerabilities that would have been easy to fix if the affected company had made a better effort. In this way, IT security is a lot like preventive medicine. No physician would be surprised if a patient with unhealthy day-to-day habits eventually developed a more serious condition, and the same applies to cybersecurity.
In this spirit, physicians can “heal themselves” of many cybersecurity problems by simply implementing a healthier IT lifestyle within their practices. None of the six steps below takes a lot of money, or a great deal of IT or security skill. But when they become part of a practice’s business habits, they can go a long way towards keeping a physician’s systems, data, and patients safer and happier.
1. Know What You Are Protecting. Do you keep track of your information and IT systems as well as you manage your pharmaceuticals or medical equipment? Information and IT systems are just as important to the success of your practice. You should take the time to inventory them, know where they are located, and understand your legal, regulatory, and business responsibilities for keeping them secure.
2. Keep Good Backups. In some cases, like ransomware, having a good, current backup can mean the difference between an inconvenience and a catastrophe. Make sure all of your important information is backed up, protected offsite, and regularly tested. If you don’t have the resources inside the practice, contract with a vendor to make sure you are prepared in an emergency.
3. Practice Strong Authentication. Even after decades of knowing better, weak and easy-to-guess passwords are still one of the most common ways that attackers get in. Today, it’s very easy to pick strong passwords you won’t forget by using a password manager. And make sure to turn on two-factor authentication wherever possible; this requires users to enter a code from a phone or another device as well as a password when logging in.
4. Lock Down Your Technology. Don’t make your IT systems an easy target. Keep them current by regularly downloading and installing vendor patches and updates. Avoid running open WiFi networks inside your practice. Turn on WiFi Protected Access 2 (WPA2) in your wireless routers, with strong passwords. Don’t let guests connect to the same networks that the practice uses for business.
5. Develop an Incident Response Plan. The worst possible time to be figuring out how to handle a security breach is in the middle of one. An emergency room wouldn’t wait until the ambulance was pulling in to prepare, and you shouldn’t put off planning for a security incident. Develop a protocol for security breaches, including who’s in charge, who gets called, and what steps get taken and in what order.
6. Make People Your First Line of Defense. Effective cybersecurity requires people, processes, and technology to work. And a “human firewall” can be one of your most powerful defenses against attackers. Devote time to writing good security policies and guidelines, and hold everyone accountable for following them. Policies without training are not very useful, though, so make the effort to ensure everyone understands them and knows what they require. Then, test your users against phishing attacks and other common attack vectors so that everyone is prepared in advance.
Implementing these six habits in your practice can go a long way towards protecting yourself from attack, and none of these activities require major budget expenditures. As with medicine, prevention is the best medicine when it comes to cybersecurity.
Information and resources are easy to find these days if you want to know more. Check out these public websites specifically set up for small businesses as a starting place:
- HealthIT.gov https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources
- Small Business Administration https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses
- Federal Communications Commission https://www.fcc.gov/cyberplanner
Lance Hayden is the chief privacy and security officer of EPatientFinder in Austin, TX.