Cybersecurity: Uncovering methods to improve security are a click away

Controls to consider and implement  

Cybersecurity controls fall into three categories: technical, administrative, and physical. For our purposes, let's look at ways healthcare professionals can improve office security utilizing these three areas.  

Healthcare data, particularly electronic health records (EHR) records storing protected health information (PHI) such as detailed patient records, are a commodity of extreme value fetching as much as $1,000 each for cybercriminals according to an article by Fierce Healthcare.   

The turbulent healthcare economy and often complicated insurance systems are already straining practices. Cybersecurity concerns simply add another compounding problem to the already overworked medical ecosystem. Stay ahead of cyberattacks by putting simple preventative strategies into play.   

Proper passwords and proactive attitudes  

Cybersecurity is a topic that is not always on the forefront of topics for a healthcare practice, but unfortunately, PHI is a valuable commodity to cybercriminals. Thinking proactively about your approach to cybersecurity can mitigate many potential issues including costly data breaches or ransom attacks.  

Each year, review your cybersecurity protocols and update them with the latest information and best practices. Be sure to conduct audits of your technology partners and review their service level agreements in regards to cybersecurity and data management to ensure you understand the potential impacts to your practice. Lastly, institute annual cybersecurity training and education with your staff to uphold and remind your teams of the critical importance of cybersecurity measures.  

“Cybersecurity is an ongoing effort and should be treated as series of practices rather than a one-time, one size fits-all solution. By focusing on the basics – like Identity and Access Managment and education around detecting and reporting phishing emails -- healthcare practices can build a strong foundation to defeat cybersecurity attacks”

- Don Kleoppel, Chief Information and Security Officer, Greenway Health

Use good password hygiene  

Passwords act like locks on gates protecting digital information. Passwords serve as the first line of defense in your cybersecurity attack prevention toolkit and can prevent unauthorized access to sensitive information and patient data. 

According to recent recommendations by the National Institute of Standards and Technology (NIST), passwords should be changed annually, consist of a minimum of eight characters, and be simple enough for the user to remember. An overly complex password might prompt the user to write down the password. Make sure to regularly create new passwords and never reuse the same password in a different software. Also, refrain from placing passwords on paper; use a secure electronic password-keeper instead.  

Follow email and texting safety tips  

A common tactic of cybercriminals is to use impersonation schemes. The CEO of the company will not email and ask for your password or other sensitive information. It is easy to become too lax about answering emails, so always take the time to read the sender’s name and company name. Often, there will be misspellings when an impersonation scam happens.   

Be skeptical of urgent email requests and verify the sender. Inspect links and attachments closely before clicking on anything and make sharp-eyed decisions about what links or attachments you open. Check for spelling errors, grammar mistakes, or pay attention to offers that are “too good to be true.” These are all indications that the sender wants to steal information or has unfavorable intentions.  

Don’t leave unattended computers unlocked  

Educate staff regarding the security of their laptop or desktop. . Reminders to lock computer stations immediately when leaving the office or room could save your office millions. Stolen records can be used to buy prescriptions or defraud insurance companies. Overall, the best practice is to ensure technology is always secure before leaving the room or shutting down for the day.   

Train employees to spot cyber-attacks and equip them with an action plan  

Having a clear action plan helps your employees guard against cyberattacks. Therefore, work with your information technology provider to establish an action plan such as a contacts list to report a suspected cyber-attack or a unique email address where suspicious emails can be forwarded for their review.  

Office life is busy; however, a little extra security could save your patient’s precious medical information from  cyber threats. Success rates in preventing cybersecurity attacks improve if your practice has a plan.  

Partner with a cybersecurity ally for your technology  

To best protect sensitive EHR data, systems must have anti-virus, Intrusion Prevention, and firewall protections. When choosing an EHR vendor, consider ‘Best in KLAS’ products and services as those standings are based heavily on consumer feedback when rating healthcare technology products. Best in KLAS vendors can be considered even more substantiated when they have received a high-quality award for cybersecurity.   

While no product can guarantee a practice will avoid all security concerns, innovative software that is regularly maintained with real-time updates, security patches for vulnerabilities, and updates based on client feedback is essential.  

Look for preventative Multi-factor Authentication (MFA) features.  

One of the most highly regarded barriers to cyberattacks is Multi-Factor Authentication or MFA. Using Multi-Factor Authentication alone cuts the risks of modern cyberattacks by 99.9% and 96% of bulk phishing attempts according to an article by Zippia in February 2023.   

Ensure your EHR vendor and other software systems have multiple barriers to entry, like MFA, to help stymie cybercriminals. Utilizing multiple factors to verify an accessor’s identity, adds a layer of security, and decreases the chances of a hacker gaining access to your systems and data. MFA, when used in combination with the other topics discussed better protects your practice and your patients.    

Use products with antivirus, firewalls, and intrusion prevention systems (IPS).  

Use products employing 24/7 continuous monitoring to detect and  protect against harmful activity. Firewalls and intrusion prevention systems are powerful tools to block and identify threats. Strong protective and preventative controls can keep your systems safe. Just remember to continuously update and review your operating systems, 3rd party products and security tools like antivirus software. Cybercriminals evolve their attacks over time and regularly updating your software takes advantage of the latest patches, updates, and cybersecurity protection.  

Continued vigilance to navigate the future of cybersecurity  

The future of cybersecurity points to an uptick in attacks on practices, requiring vigilance and updated measures. Through employee training, password hygiene, action plans, and quality software, healthcare leaders can implement robust cybersecurity protocols.   

Cyber attackers will only become more sophisticated in their schemes. With the evolution of AI, machine learning, the key to a good defense is a good offense.