A data breach is a nightmare scenario for any practice. If sensitive patient data got into the hands of the wrong person, your practice could suffer costly long term consequences and damage your reputation.
A 2016 study by the Ponemon Institute revealed some alarming statistics:
- Almost 90% of healthcare organizations are estimated to have experienced a data breach in the last two years
- The average cost of a HIPAA data breach is $380 per record
- Criminal attacks are the leading cause of data breaches in healthcare
What steps can you take to protect your data against an attack?
No system is truly hack proof, but there is a lot that can be done to protect your information. Here are some simple things you can do to guard against an attack.
Don’t wait to update your software
It can be an annoyance to install an update and reboot, but sticking with an outdated version means compromising your security. The latest version of a software often includes patches to areas in which vulnerabilities have been revealed.
Use software that prioritizes cyber security
If you’re counting on your software to protect itself, you need to make sure you’re choosing software that holds cyber security as a top priority. Invest in systems that include
- Next-generation firewalls
- Advanced malware detection
- Email and web gateways
- Multi-factor authentication
Set up password protected, time based screen locks
It’s easy to run to the restroom or take your lunch break leaving your computer open for when you return. Setting up screen locks that automatically kick in after set time of an idol mouse will protect your computer from a glancing passerby without the need to put it into sleep mode.
On a Mac you can set up hot corners to easily turn on your lock screen by moving the mouse to a corner of your choice.
Put password procedures in place
If a criminal is able to guess or access just one password that gives them access to your data, it’s game over. Putting password procedures in place will go a long way toward protecting your information. Enforce some requirements for everyone with access to sensitive data like:
- Don’t use the same password for more than one account
- Change your password every few weeks
- Include numbers, letters, upper and lower case, and symbols
- Have a minimum password length of 8 characters or more
Store and share passwords carefully
Ideally you’d want to remember your passwords without the need for storage, but that’s not always realistic, so be smart about your password storage. Use a secure password management system such as LastPass or Zoho Vault for your team’s password storage.
Most password management systems have a system for secure password sharing. Never share a username and password over email. If you need to share, send each piece of information on a different platform. For example, you may send a username over email, and then give the password over the phone.
Here are some additional do’s and don’ts of password protection:
- Don’t allow your browser to store your password
- Do use 2 factor authentication whenever available
- Do set up security questions and keep personal information up to date
Control and monitor internal access to sensitive information
You should always know who on your team has access to what systems. Have a procedure in place in case someone needs to access information from a system they do not have a username and password for. This will help you keep up with who has access to what software, and help prevent sharing of passwords as a “one-time use.”
Controlling access to sensitive information internally means only the people who really need access will have it. Keep an eye on changing roles or daily tasks so you can revoke access to systems that are no longer required by your staff.
Continually educate staff and set expectations
Any security system is only as strong as its weakest link. Human factors play a part in the majority of cyber attacks. Keeping your staff informed on how valuable sensitive information is will keep security top of mind. Keeping everyone updated on password procedures and policies, will ensure that everyone is on the same page with what is expected.
Don’t count on a single system to protect you
No system is 100% hack proof, but layering your defenses will give you a significant boost in protection. Having a backup method of defense incase your front line is infiltrated is highly recommended.
Use a backup hard drive and test regularly
Purchasing a backup or mirrored hard drive as an added security measure will help ensure that data that gets lost, damaged, or stolen can be recovered. This may add about 10-20% to the overall cost of your EHR system, but the added protection is well worth it.
Testing your hard drive on a regular basis will ensure that you can restore data if the need ever arises. When attempting a test restore data, choose a time when the practice will not be affected by some down time and always restore to a server that is not live or you’ll risk corrupting your data.
Hire a forensic consultant
A forensic consultant will give you insight on your practice’s vulnerabilities, liabilities, and help you to create an individualized security plan to protect your practice. If you’re on a tight budget, remember this will help you avoid the spending the cash you’ll end up forking out in the case of a data breach.
Know the signs of a breach
If you don’t know what to look for, you could have a breach without realizing it. If you see any of these signs, you could be under attack:
- You’re locked out of your user account
- Strange outbound emails from your address
- A black computer screen
- Unusual browsing or account history