I hate to say it, but your patients’ protected information could be at risk—that is, if you’re not taking the proper precautions to keep it secure. Every day, hackers and cyber criminals use malicious software (a.k.a. “malware”) to target businesses and individuals around the world. Malware has many incarnations—including computer worms, annoying pop-ups, and Trojan horses—but the term generally refers to any software that’s installed without the user’s knowledge or consent. And last year, we saw a serious increase in the use of a different kind of malware: ransomware.

In a ransomware situation, the attacker typically locks the victim’s computer or network—or threatens to make victim’s private information public—unless the victim pays a ransom amount. It sounds like the stuff of Netflix thrillers, but unfortunately, it’s becoming fairly common: according to the US Small Business Association, an average of 4,000 ransomware attacks occurred every day in 2016, and the fallout can have devastating financial consequences. For healthcare facilities, the impact can be particularly disastrous because it’s not just the organization’s own information that is at risk: patients’ protected health records are on the line, too.

So, how can you protect your practice—and your patients’ information—from ransomware and other types of malware? Simple: Use the following tips to keep yourself—and your practice—safe.

Knock Out Patient Dropout: 8 Ways to Increase Retention and Revenue - Regular BannerKnock Out Patient Dropout: 8 Ways to Increase Retention and Revenue - Small Banner

1. Don’t click on anything suspicious.

The first step to protecting your network is understanding how malware makes its way onto your computer. The most common malware vehicles include:

  • email attachments;
  • removable storage drives;
  • downloaded software; and
  • links in emails, social media sites, or other websites.

This isn’t a complete list; there are many ways hackers can infiltrate your system, and no website is 100% safe from malicious attacks. But, there’s good news: malicious software is often easy to spot—especially if you know what to look for. So, before you open any download, email, or link, scan it for the following telltale signs:

  • The email isn’t addressed to an actual person. Fake emails often use a generic addressee (e.g., “customer” or “member”). Conversely, legitimate emails usually address you by your first or last name, if not both.
  • The text is riddled with typos and grammatical errors. Fake emails often contain grammar and spelling flubs, making them easier to spot.
  • The email or message comes from someone you don’t know. While friends and family can inadvertently send you a malicious link or download, you’re more likely to receive a harmful attachment from someone you don’t know.
  • It asks you for personal information. Do not—I repeat, do not—give out personal information via email. That includes your social security number, bank account information, and passwords. Legitimate businesses should never ask for sensitive information unless you are using their secure websites or apps—or speaking with a company representative in person or over the phone.
  • The URL in the address bar doesn’t match the link you clicked. For example, if the link says “www.webpt.com,” but the address it takes you to is “www.ptweb.com,” then there’s a solid chance something is amiss.

2. Be wary of public Wi-Fi.

Ah yes, there’s nothing quite like grabbing a seat at your favorite coffee spot, logging on to the public Wi-Fi, and catching up on patient documentation, right? Not so fast. Any time you’re working with PHI or other sensitive information, you should always be on a private, password-protected network—no exceptions. This is because public Wi-Fi networks are highly exploitable and vulnerable to malicious attacks. If you must work outside of the office, consider using a VPN service.

Additionally, be mindful about who can access your private networks, and make sure your practice’s Wi-Fi is password-protected. If you offer Internet access to your patients, make sure that connection is separate from the one you use with your work devices.

3. Use protective software.

Hopefully, your practice already uses some kind of antivirus software or antispyware. (If not, drop what you’re doing and go get some.) But, not all software is created equal. So, if you need some guidance, check out this page from Tom’s Guide for a comprehensive look at the best antivirus options.

4. Restrict privileges.

Sometimes, the best way to protect your practice is to set boundaries for what can and can’t be done on work devices. This could mean having your IT person whitelist specific apps or sites in your browser so that they are the only things users can access. Alternatively, you can choose to blacklist specific sites—a much easier, though not quite as effective, option for most end users. You should also consider setting administrative privileges so that only users with admin credentials can download files.

5. Encrypt sensitive data.

If, for any reason, you must save documents containing PHI or other sensitive information to your device, be sure to encrypt and password-protect the files. Fortunately, both Macs and PCs provide easy ways to implement password protection. As for encrypting your data, there are several methods you can use to accomplish this, including compressing files with a program like 7-Zip or encoding them with a platform like BitLocker on Windows or FireVault on Mac.

6. Keep your software up to date.

Cyber threats are ever-evolving, and many software companies regularly update and patch their existing security protocols to help keep you safe. Typically, the software will alert you whenever an update becomes available—and when that happens, it’s crucial that you implement it as soon as possible, especially for any application you use to access sensitive information. This includes point-of-sale programs, Internet browsers, and operating systems such as Windows, iOS, and Linux.

7. Create a security policy.

Just as your clinic’s social media policy helps keep your staff from making HIPAA slip-ups on Facebook, your cyber security policy should arm them with basic information to help them identify potential threats—and outline what to do in the event that your practice falls prey to a cyber attack. But, did you know that as a HIPAA-covered business entity, you’re actually required to have written policies and procedures for protecting PHI? If not—and if your practice doesn’t have any—then we’d recommend creating and implementing some ASAP. Not sure where to start? This article from Malwarebytes offers an in-depth outline for building a cyber security policy. At minimum, this policy should establish:

  • who is responsible for maintaining the policy and training staff on it;
  • who can access protected data;
  • how to report security incidents (and who responds to them); and
  • how your practice will store and protect data.

It’s also crucial that your staff not only receive training on how to adhere to your practice’s cyber security protocol, but also understand why it’s important.

The Internet can be a crazy, scary place. And if you’re a busy clinic owner or practice manager, the threat of a cyber attack might be one of many things that keep you up at night. However, taking the right precautions and having a plan in place—in addition to having a safe, HIPAA-compliant EMR software—should help you rest easier. After all, it’s better to prepare for the worst and hope for the best than it is to leave it all to chance.

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • webinarAug 9, 2011

    Understanding Security and Technology Behind Cloud-Based Applications

    Have you ever wondered what 'The Cloud' actually means? Wish there was an easy way to understand the technology you are currently using? This webinar was hosted by WebPT Expert, Michael Manheimer, joined by WebPT Co-Founders Brad and Heidi Jannenga. Webinar attendees will learn: What exactly is cloud computing? What makes cloud computing different from traditional models? What type of security does a cloud vendor offer? WebPT will debunk a few myths about 'The Cloud' itself.

  • What Happens if Your Physical Therapy Software Goes Out of Business? Image

    articleJul 15, 2016 | 7 min. read

    What Happens if Your Physical Therapy Software Goes Out of Business?

    You’ve most likely heard the news: PTOS is going out of business. That means that in a few short months, PTOS customers will be left without a physical therapy practice management and billing software solution, so they’ve got to find new systems—stat . After all, no one wants to lose all of their valuable patient and business data—nor do they want to wait until the last minute to find a replacement. Shopping for a PTOS alternative, partnering with …

  • articleOct 9, 2012 | 4 min. read

    Nine Questions to Ask Your Cloud Vendor

    Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen So, you’ve decided to ditch the pen and paper and take your practice into the cloud―maybe through a payroll service , an email marketing tool , or even (hopefully!) an EMR . Now what? As you shop around for a cloud-based vendor to meet your clinic’s needs, be sure to get answers to the following nine questions.   1.) Is this truly cloud-based? Many companies claim …

  • articleJul 12, 2011 | 5 min. read

    5 Cloud Fears Explained

    Technology has become a crucial component to healthcare documentation and management. Many benefits come from Electronic Record keeping including productivity increases, greater security measures as the burden of IT being lifted off of the shoulders of clinic staff. One of the most beneficial technology innovations in healthcare is the development of cloud-based technology. With new “cloud” technology, comes a lot of questions and concerns. Is it proven?  Is it safe?  We see a lot of misinformation around …

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • Future-Proofing Your Practice: Diversifying Revenue Streams Image

    downloadJan 7, 2016

    Future-Proofing Your Practice: Diversifying Revenue Streams

    What does it take to future-proof your practice? In this guide, we’ll talk about how you can incorporate health and wellness services to diversify your practice’s revenue streams and boost your bottom line. Ready to prepare your practice for the age of payment reform? Enter your email address below to download Future-Proofing Your Practice, Volume 3.

  • Last Legs: The Compliance Vulnerabilities of Dead or Dying Software Image

    articleOct 24, 2016 | 5 min. read

    Last Legs: The Compliance Vulnerabilities of Dead or Dying Software

    Rusty mechanical equipment. Creaky carnival rides. Wobbly chairs. People are naturally skeptical of things that are dilapidated, rundown, or slipshod—and with good reason. After all, that which is ramshackle usually isn’t reliable. Now, imagine it’s the physical therapy software you use everyday to run your rehab therapy practice that’s gone derelict. Take PTOS EMR, for example , because if you didn’t know, this therapy office software is going out of business, and it has ceased all updates …

  • articleAug 13, 2011 | 2 min. read

    How to tell if an EMR will help or hinder your practice

    While looking at an EMR for your clinic, it can be hard to understand what will work for you and what won't. To add to it, the messages in the industry seem a bit mixed and muddled. On any given day, you may read an article outlining all of the reasons why EMR adoption is slow and difficult for a non-technical staff.   A number of reasons fault the user and not the software. The next day, …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.