How much would you spend to get your life back? What about those of your patients? These are questions that many healthcare providers must ask themselves at one point or another. The healthcare sector has become one of the most popular among hackers and cyber criminals because medical identity theft is an incredibly lucrative business. Millions of patient medical records were exposed in 2016, and that number is projected to rise this year. In an industry moving towards value-based payment models, quality care must now include protecting patient health information using safe record-keeping practices.
Cybersecurity in Healthcare is Different for Every Organization
Healthcare data security is by no means "one size fits all." A small, rural practice will invest differently than a large, metropolitan hospital. Based on your business and your particular needs, you should identify what data is most important to protect, then plan your safety measures accordingly. Perhaps you'll realize that technology isn't what's needed, but people and processes instead.
The average cyberattack for a small healthcare provider can cost upwards of $1 million in recovery. Read more about it in our white paper, "Healthcare, Cybersecurity, and You."
We're Our Own Worst Enemy
According to a recent study by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), users rather than technology issues are the top causes of risk to cybersecurity in healthcare because many employees forget to follow basic cyber safety rules. It happens because of a wide range of reasons: lack of training and/or cybersecurity personnel, or simply that policies aren't truly enforced by the organization. Following your safeguards plays an important role in forming a trusting relationship between provider and patient. It's not just a collection of data you're protecting, it's someone's life. Let's discuss a few tips to get your organization's record-keeping practices on the right track.
Establish a Security Culture
There's a major human blind spot with respect to information security: overconfidence. The "it will never happen to me" mindset. No matter the level of education or experience, the weakest link in any computer system is almost always the user. So, what can be done to ensure an organization-wide security culture?
Frequent education and training - Ongoing mitigation steps allowing for discipline, documentation and compliance.
- Avoid exceptionalism - You shouldn't have a get-out-of-jail-free card as an executive. Those who manage and advise should set an example and take every precaution needed - the same as everyone else - to safeguard sensitive information.
- Information security as a core value - It should without a doubt take a seat at the table of core values within your organization. When staff embraces accountability and willingness to take responsibility over information security, you know you truly have a shared vision.
Change STRONG Passwords on a Regular Basis
Passwords are your first line of defense when preventing hacks into any computer. No matter what type of operating system, it should require a password to login. A strong password may not be able to completely deter a hacker, but it will definitely slow down their progress. Don't choose passwords that
- Are found in a dictionary
- Match your username
- Include personal information - Your name, birthday, family member names, pet names, etc.
- Refer to anything on your social media pages - Anything found on your social pages like Facebook and Twitter should never be used as a password, whether your profiles are private or not. Anything you post on social media CAN be found and potentially used against you.
A strong password is at least eight characters long and contains a combination of upper and lowercase letters, numbers, and at least one special character (etc. * ? !.)
Maintain Good Habits
Similar to eating fruits and vegetables or walking up the stairs instead of using the escalator in efforts to be healthier, a little goes a long way in system maintenance regimen. It's necessary to maintain the health of your systems and reduce risk of breach.
- Uninstall software applications that aren't essential to running your practice - games, messaging applications, photo-sharing, etc.
- Don't simply accept default options when installing software on your device.
- Read through your options and understand the choices thoroughly before accepting.
- Disable your file sharing and printing from remote staff. That could potentially result in accidental sharing of information along unauthorized locations.
Plan For the Unexpected: Use Firewalls and Anti-virus
Unless your practice is completely disconnected from the Internet, you should always use firewall and anti-virus to protect against malicious intrusions. The firewall inspects all messages coming in from the outside and decides whether or not the message should be allowed in based on pre-determined criteria. Anti-virus actually stops malicious software that has already surpassed your safety measures and entered the system.
Control Access to PHI - Both Virtually and Physically
Never forget that the devices that hold sensitive information should also be secured from unauthorized access. Believe it or not, the most common way that electronic health information is compromised is not through virtual attacks, but through the loss of the physical device itself, both accidental and theft. Thumb and flash drives, CDs, DVDs, laptops, handhelds, desktops, hard drives, backup tapes, and even entire network servers can be physically removed and compromised. Securing these devices in locked rooms only accessible to limited staff members, managing physical keys, and restricting staff from moving devices from a secure area is a great start.
In an industry that's shifting towards value-based care and payment models, true quality care cannot be accomplished without also taking the security of your patients' health information into consideration. Protecting patients through data security practice should become second-nature to your entire staff and executive team. Once it becomes one of your organization's core values and you begin to anticipate the worst, you will truly create a long-lasting environment of cybersecurity in healthcare benefiting the health and safety of your patients and your business.