I hate to say it, but your patients’ protected information could be at risk—that is, if you’re not taking the proper precautions to keep it secure. Every day, hackers and cyber criminals use malicious software (a.k.a. “malware”) to target businesses and individuals around the world. Malware has many incarnations—including computer worms, annoying pop-ups, and Trojan horses—but the term generally refers to any software that’s installed without the user’s knowledge or consent. And last year, we saw a serious increase in the use of a different kind of malware: ransomware.

In a ransomware situation, the attacker typically locks the victim’s computer or network—or threatens to make victim’s private information public—unless the victim pays a ransom amount. It sounds like the stuff of Netflix thrillers, but unfortunately, it’s becoming fairly common: according to the US Small Business Association, an average of 4,000 ransomware attacks occurred every day in 2016, and the fallout can have devastating financial consequences. For healthcare facilities, the impact can be particularly disastrous because it’s not just the organization’s own information that is at risk: patients’ protected health records are on the line, too.

So, how can you protect your practice—and your patients’ information—from ransomware and other types of malware? Simple: Use the following tips to keep yourself—and your practice—safe.

Retention, Please: Why Patient Dropout is Killing Rehab Therapy Practices— and How to Stop It - Regular BannerRetention, Please: Why Patient Dropout is Killing Rehab Therapy Practices— and How to Stop It - Small Banner

1. Don’t click on anything suspicious.

The first step to protecting your network is understanding how malware makes its way onto your computer. The most common malware vehicles include:

  • email attachments;
  • removable storage drives;
  • downloaded software; and
  • links in emails, social media sites, or other websites.

This isn’t a complete list; there are many ways hackers can infiltrate your system, and no website is 100% safe from malicious attacks. But, there’s good news: malicious software is often easy to spot—especially if you know what to look for. So, before you open any download, email, or link, scan it for the following telltale signs:

  • The email isn’t addressed to an actual person. Fake emails often use a generic addressee (e.g., “customer” or “member”). Conversely, legitimate emails usually address you by your first or last name, if not both.
  • The text is riddled with typos and grammatical errors. Fake emails often contain grammar and spelling flubs, making them easier to spot.
  • The email or message comes from someone you don’t know. While friends and family can inadvertently send you a malicious link or download, you’re more likely to receive a harmful attachment from someone you don’t know.
  • It asks you for personal information. Do not—I repeat, do not—give out personal information via email. That includes your social security number, bank account information, and passwords. Legitimate businesses should never ask for sensitive information unless you are using their secure websites or apps—or speaking with a company representative in person or over the phone.
  • The URL in the address bar doesn’t match the link you clicked. For example, if the link says “www.webpt.com,” but the address it takes you to is “www.ptweb.com,” then there’s a solid chance something is amiss.

2. Be wary of public Wi-Fi.

Ah yes, there’s nothing quite like grabbing a seat at your favorite coffee spot, logging on to the public Wi-Fi, and catching up on patient documentation, right? Not so fast. Any time you’re working with PHI or other sensitive information, you should always be on a private, password-protected network—no exceptions. This is because public Wi-Fi networks are highly exploitable and vulnerable to malicious attacks. If you must work outside of the office, consider using a VPN service.

Additionally, be mindful about who can access your private networks, and make sure your practice’s Wi-Fi is password-protected. If you offer Internet access to your patients, make sure that connection is separate from the one you use with your work devices.

3. Use protective software.

Hopefully, your practice already uses some kind of antivirus software or antispyware. (If not, drop what you’re doing and go get some.) But, not all software is created equal. So, if you need some guidance, check out this page from Tom’s Guide for a comprehensive look at the best antivirus options.

4. Restrict privileges.

Sometimes, the best way to protect your practice is to set boundaries for what can and can’t be done on work devices. This could mean having your IT person whitelist specific apps or sites in your browser so that they are the only things users can access. Alternatively, you can choose to blacklist specific sites—a much easier, though not quite as effective, option for most end users. You should also consider setting administrative privileges so that only users with admin credentials can download files.

5. Encrypt sensitive data.

If, for any reason, you must save documents containing PHI or other sensitive information to your device, be sure to encrypt and password-protect the files. Fortunately, both Macs and PCs provide easy ways to implement password protection. As for encrypting your data, there are several methods you can use to accomplish this, including compressing files with a program like 7-Zip or encoding them with a platform like BitLocker on Windows or FireVault on Mac.

6. Keep your software up to date.

Cyber threats are ever-evolving, and many software companies regularly update and patch their existing security protocols to help keep you safe. Typically, the software will alert you whenever an update becomes available—and when that happens, it’s crucial that you implement it as soon as possible, especially for any application you use to access sensitive information. This includes point-of-sale programs, Internet browsers, and operating systems such as Windows, iOS, and Linux.

7. Create a security policy.

Just as your clinic’s social media policy helps keep your staff from making HIPAA slip-ups on Facebook, your cyber security policy should arm them with basic information to help them identify potential threats—and outline what to do in the event that your practice falls prey to a cyber attack. But, did you know that as a HIPAA-covered business entity, you’re actually required to have written policies and procedures for protecting PHI? If not—and if your practice doesn’t have any—then we’d recommend creating and implementing some ASAP. Not sure where to start? This article from Malwarebytes offers an in-depth outline for building a cyber security policy. At minimum, this policy should establish:

  • who is responsible for maintaining the policy and training staff on it;
  • who can access protected data;
  • how to report security incidents (and who responds to them); and
  • how your practice will store and protect data.

It’s also crucial that your staff not only receive training on how to adhere to your practice’s cyber security protocol, but also understand why it’s important.

The Internet can be a crazy, scary place. And if you’re a busy clinic owner or practice manager, the threat of a cyber attack might be one of many things that keep you up at night. However, taking the right precautions and having a plan in place—in addition to having a safe, HIPAA-compliant EMR software—should help you rest easier. After all, it’s better to prepare for the worst and hope for the best than it is to leave it all to chance.

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • articleJul 12, 2011 | 5 min. read

    5 Cloud Fears Explained

    Technology has become a crucial component to healthcare documentation and management. Many benefits come from Electronic Record keeping including productivity increases, greater security measures as the burden of IT being lifted off of the shoulders of clinic staff. One of the most beneficial technology innovations in healthcare is the development of cloud-based technology. With new “cloud” technology, comes a lot of questions and concerns. Is it proven?  Is it safe?  We see a lot of misinformation around …

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • webinarAug 9, 2011

    Understanding Security and Technology Behind Cloud-Based Applications

    Have you ever wondered what 'The Cloud' actually means? Wish there was an easy way to understand the technology you are currently using? This webinar was hosted by WebPT Expert, Michael Manheimer, joined by WebPT Co-Founders Brad and Heidi Jannenga. Webinar attendees will learn: What exactly is cloud computing? What makes cloud computing different from traditional models? What type of security does a cloud vendor offer? WebPT will debunk a few myths about 'The Cloud' itself.

  • What Happens if Your Physical Therapy Software Goes Out of Business? Image

    articleJul 15, 2016 | 7 min. read

    What Happens if Your Physical Therapy Software Goes Out of Business?

    You’ve most likely heard the news: PTOS is going out of business. That means that in a few short months, PTOS customers will be left without a physical therapy practice management and billing software solution, so they’ve got to find new systems—stat . After all, no one wants to lose all of their valuable patient and business data—nor do they want to wait until the last minute to find a replacement. Shopping for a PTOS alternative, partnering with …

  • articleOct 9, 2012 | 4 min. read

    Nine Questions to Ask Your Cloud Vendor

    Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen So, you’ve decided to ditch the pen and paper and take your practice into the cloud―maybe through a payroll service , an email marketing tool , or even (hopefully!) an EMR . Now what? As you shop around for a cloud-based vendor to meet your clinic’s needs, be sure to get answers to the following nine questions.   1.) Is this truly cloud-based? Many companies claim …

  • articleJun 15, 2011 | 4 min. read

    WebPT TOP 10 Benefits for Multi-Clinic Practices

    Working together just got easier Practices with multiple clinics are realizing the benefits of WebPT in a big way.  WebPT's focus on simplicity, compliance, and ease of use make it truly unique. But the biggest headaches for multiple clinics vanish when clinics take advantage of the elegant built-in features that save time and money while enhancing standardization across clinics.   TOP 10 Benefits to Multi-Clinic Practices Implement in one hour not weeks - Implementing an EMR across …

  • articleMay 8, 2012 | 3 min. read

    The Future of Plugged In Healthcare

    Have you been captivated by the evolution of patient-centric health? The broader scope of eHealth, mHealth, and digital health (in its beginning stages) is exciting to watch. However, the concept of a truly “plugged in” healthcare system is far from reality. Still, groups like the Center for Connected Health are pushing the industry forward. Pioneering founder, Joseph C. Kvedar, MD, and his center are driving the tech-enabled, patient-centric vision. Recently, Discovery.com featured Dr. Kvedar, along with the …

  • Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice? Image

    articleOct 4, 2019 | 6 min. read

    Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice?

    I’m sure by now you’ve heard a rumor that California has enacted the most impactful privacy rule in the nation. Maybe you also heard that California’s privacy rule applies to California residents—and that it does not apply to medical information. And perhaps you’ve wondered if the rule applies to your practice, but you haven’t had time to look into it. Lucky for you, WebPT has created this handy FAQ to educate you about the California Consumer Privacy …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.