I hate to say it, but your patients’ protected information could be at risk—that is, if you’re not taking the proper precautions to keep it secure. Every day, hackers and cyber criminals use malicious software (a.k.a. “malware”) to target businesses and individuals around the world. Malware has many incarnations—including computer worms, annoying pop-ups, and Trojan horses—but the term generally refers to any software that’s installed without the user’s knowledge or consent. And last year, we saw a serious increase in the use of a different kind of malware: ransomware.
In a ransomware situation, the attacker typically locks the victim’s computer or network—or threatens to make victim’s private information public—unless the victim pays a ransom amount. It sounds like the stuff of Netflix thrillers, but unfortunately, it’s becoming fairly common: according to the US Small Business Association, an average of 4,000 ransomware attacks occurred every day in 2016, and the fallout can have devastating financial consequences. For healthcare facilities, the impact can be particularly disastrous because it’s not just the organization’s own information that is at risk: patients’ protected health records are on the line, too.
So, how can you protect your practice—and your patients’ information—from ransomware and other types of malware? Simple: Use the following tips to keep yourself—and your practice—safe.
1. Don’t click on anything suspicious.
The first step to protecting your network is understanding how malware makes its way onto your computer. The most common malware vehicles include:
- email attachments;
- removable storage drives;
- downloaded software; and
- links in emails, social media sites, or other websites.
This isn’t a complete list; there are many ways hackers can infiltrate your system, and no website is 100% safe from malicious attacks. But, there’s good news: malicious software is often easy to spot—especially if you know what to look for. So, before you open any download, email, or link, scan it for the following telltale signs:
- The email isn’t addressed to an actual person. Fake emails often use a generic addressee (e.g., “customer” or “member”). Conversely, legitimate emails usually address you by your first or last name, if not both.
- The text is riddled with typos and grammatical errors. Fake emails often contain grammar and spelling flubs, making them easier to spot.
- The email or message comes from someone you don’t know. While friends and family can inadvertently send you a malicious link or download, you’re more likely to receive a harmful attachment from someone you don’t know.
- It asks you for personal information. Do not—I repeat, do not—give out personal information via email. That includes your social security number, bank account information, and passwords. Legitimate businesses should never ask for sensitive information unless you are using their secure websites or apps—or speaking with a company representative in person or over the phone.
- The URL in the address bar doesn’t match the link you clicked. For example, if the link says “www.webpt.com,” but the address it takes you to is “www.ptweb.com,” then there’s a solid chance something is amiss.
2. Be wary of public Wi-Fi.
Ah yes, there’s nothing quite like grabbing a seat at your favorite coffee spot, logging on to the public Wi-Fi, and catching up on patient documentation, right? Not so fast. Any time you’re working with PHI or other sensitive information, you should always be on a private, password-protected network—no exceptions. This is because public Wi-Fi networks are highly exploitable and vulnerable to malicious attacks. If you must work outside of the office, consider using a VPN service.
Additionally, be mindful about who can access your private networks, and make sure your practice’s Wi-Fi is password-protected. If you offer Internet access to your patients, make sure that connection is separate from the one you use with your work devices.
3. Use protective software.
Hopefully, your practice already uses some kind of antivirus software or antispyware. (If not, drop what you’re doing and go get some.) But, not all software is created equal. So, if you need some guidance, check out this page from Tom’s Guide for a comprehensive look at the best antivirus options.
4. Restrict privileges.
Sometimes, the best way to protect your practice is to set boundaries for what can and can’t be done on work devices. This could mean having your IT person whitelist specific apps or sites in your browser so that they are the only things users can access. Alternatively, you can choose to blacklist specific sites—a much easier, though not quite as effective, option for most end users. You should also consider setting administrative privileges so that only users with admin credentials can download files.
5. Encrypt sensitive data.
If, for any reason, you must save documents containing PHI or other sensitive information to your device, be sure to encrypt and password-protect the files. Fortunately, both Macs and PCs provide easy ways to implement password protection. As for encrypting your data, there are several methods you can use to accomplish this, including compressing files with a program like 7-Zip or encoding them with a platform like BitLocker on Windows or FireVault on Mac.
6. Keep your software up to date.
Cyber threats are ever-evolving, and many software companies regularly update and patch their existing security protocols to help keep you safe. Typically, the software will alert you whenever an update becomes available—and when that happens, it’s crucial that you implement it as soon as possible, especially for any application you use to access sensitive information. This includes point-of-sale programs, Internet browsers, and operating systems such as Windows, iOS, and Linux.
7. Create a security policy.
Just as your clinic’s social media policy helps keep your staff from making HIPAA slip-ups on Facebook, your cyber security policy should arm them with basic information to help them identify potential threats—and outline what to do in the event that your practice falls prey to a cyber attack. But, did you know that as a HIPAA-covered business entity, you’re actually required to have written policies and procedures for protecting PHI? If not—and if your practice doesn’t have any—then we’d recommend creating and implementing some ASAP. Not sure where to start? This article from Malwarebytes offers an in-depth outline for building a cyber security policy. At minimum, this policy should establish:
- who is responsible for maintaining the policy and training staff on it;
- who can access protected data;
- how to report security incidents (and who responds to them); and
- how your practice will store and protect data.
It’s also crucial that your staff not only receive training on how to adhere to your practice’s cyber security protocol, but also understand why it’s important.
The Internet can be a crazy, scary place. And if you’re a busy clinic owner or practice manager, the threat of a cyber attack might be one of many things that keep you up at night. However, taking the right precautions and having a plan in place—in addition to having a safe, HIPAA-compliant EMR software—should help you rest easier. After all, it’s better to prepare for the worst and hope for the best than it is to leave it all to chance.