A 2017 survey the American Medical Association conducted with 1,300 physicians indicated that more than eight out of 10 have experienced some sort of a cyberattack. Medical records can be very valuable for hackers and thieves. It’s a pretty trivial thing to cancel a stolen credit card, but people can’t just cancel their medical history. Plus, medical records have personally identifiable information like names, addresses and social security numbers.
As a practice, you want to do everything in your power to keep your patients’ records safe, and not just for your HIPAA compliance. That’s why we’ve compiled some tips to help keep your patients’ information under lock and key, even when they’re in a computer:
Start With a Culture of Security
The weakest link in any IT system is the human using it, and that holds doubly true for information security. It’s not enough to have just one training and think you’re protected from bad habits or bad judgement. Educate yourself and your staff on proper cybersecurity practices, such as forcing employees to change their passwords every two month and not allowing them to use the same password twice for 10 consecutive passwords.
It’s also that you and your staff know what scams are lurking out there. For example, phishing is when people send fake emails, texts or phone calls to trick others into handing over information. But security goes beyond not falling for scams. You have to train your staff and convince them why information security is important. You have to make it a core value of your practice.
Password Protection Is Key
Mobile devices —be they laptops, smartphones or tablets—have added a new layer of convenience to medical practices, but that convenience can come at a cost to security. Mobile devices are more easily lost or stolen than desktops or other tethered devices, and they can sometimes be used where unauthorized people can see sensitive data. That said, by taking the right precautions and with proper staff training the risks can be mitigated.
To start, whenever possible, mobile devices should be protected by two-factor authentication. Two-factor authentication requires two ways of unlocking a device, such as a password followed by a PIN texted to a user’s phone. That makes it much harder and much less convenient to get at any data from stolen devices.
Building on this, you should strongly consider investing in tools such as password vaults. These password management programs, such as Dashlane or LastPass, allow you store your passwords in a protected digital space.
Have a Plan
If the worst happens and your data is compromised, you may be locked out of your system for hours, days or even weeks. Thieves may attempt to sabotage your operations. Don’t let a security breach turn into a full-on disaster and keep you from seeing patients–back up your data.
Disaster recovery plans are an often overlooked aspect of cybersecurity, but they’re required for HIPAA compliance. Make sure you have a daily backup of data that goes somewhere off-site and possibly offline. That way you’ll always have a copy of your electronic health records that you can easily access in the event of a breach, enabling you to continue seeing patients. A number of companies can provide HIPAA-compliant, offsite and encrypted backup services.
However, disaster recovery and contingency plans go beyond data backup. Other aspects of a disaster recovery plan include:
- An uninterruptable power supply or backup generator
- Antivirus software
- Fire safety measures such as sprinklers or extinguishers
- Surge protectors to prevent damage to equipment
Develop Good Habits
It’s important for information security culture to become ingrained in your practice. As a medical professional, you know how important it is for patients to build good habits for their health. It’s the same for the health of your information protection.
Here are some of the most useful habits to develop when it comes to cybersecurity.
- Disable remote file sharing and remote printing, and ask employees to turn off smartphone features such as Apple AirDrop
- Keep computers free of clutter and unnecessary programs
- Keep software–including operating systems, antivirus and EHR software–up-to-date
- Make sure any accounts for employees no longer employed at your practice are deactivated, and any devices that store data have that data destroyed before decomissioning
- Use a firewall at all times
At Points Group, we offer turnkey solutions for all of your website needs, including security. Contact us today.