Cyber Security 10 Best Practices for the Small Healthcare Environment

Securing systems, information, and network from cyber-attacks is the key concern of almost every business today, healthcare being no exception in that matter. It is the healthcare industry that is more subject to data thefts and security breaches than any other in recent times. In the past few years, hacking incidents have grown in numbers. About 2.96 million patients’ records were compromised due to a nine-year hack on insurer dominion National’s servers. These facts are alarming, pointing towards the growing concern over healthcare cybersecurity.

Set up a Firewall

A firewall is one of the first steps of defense that businesses can have to fight against cyber-attacks. The job of a firewall is to inspect every message coming from the Internet or the local network into the system and decide which messages should be let in. It creates a barrier between your system and the cybercriminals.

By installing internal firewalls in the computers of your small healthcare practice, you can prevent the entry of the virus. Even if your employees are working from home, they must not forget to install the firewall into their system for additional protection.

If your EHR system is connected to the Internet, then setting up a firewall is essentially vital as it will prevent threats and intrusions from outside right at the source. A firewall can be in the form of a hardware device or a software product.

Software firewalls are pre-configured within some operating systems and start protecting the installation stage. Also, practices can buy separate firewall software from the market as well. In case of using a hardware firewall, healthcare organizations must take of subject specialists as the hardware needs to be configured, maintained, and monitored, which only experts can do better. 

Have a Documented BYOD Policy

It is essential for all small healthcare businesses as well to have proper documented Bring Your Own Device (BYOD) policy, giving priority to security checks and precautionary measures. Not only laptops and mobile phones, even healthcare wearables like fitness trackers and smartwatches that have wireless capabilities should also be included in the BYOD policy.  

In the healthcare environment, BYOD devices like smartphones, laptops, and portable storage media make Electronic Health Records (EHRs) vulnerable to theft. Even mobile devices are often exposed to electromagnetic interference from other medical devices, which may corrupt information stored on the device.

BYOD policy may be helpful to professionals, but it has its cons also. T use of mobile devices at various places to access electronic health data by healthcare professionals may unknowingly lead to unauthorized viewing, putting sensitive information at risk. Hence all BYOD mobile devices must be secured with access controls and strong authentication.

It is indeed essential that even small businesses in the healthcare sector ensure that all their employee devices that have access to company networks are password protected.

Educate Employees on Security Practices

In a small healthcare environment, often, medical staff or professionals are seen performing various responsibilities outside their designated tasks. Updating critical medical documents or handling electronic patient data can be one such task for which employees need to be adequately trained and made aware of security protocols and best practices. 

Healthcare businesses must ensure that they teach their employees on what security measures they must take to prevent any security threat targeting digital records. From time to time, policies should be updated, and employees should be educated on the changing security settings so that they can comply with it.

From installing anti-virus software to using a secure password, not sharing any data, and strictly following security norms, employees should be trained on how to address security concerns and prevent data loss.

Enforce Strong Passwords

As per the Keeper Security and Ponemon Institute Report, about 65 percent of SMBs that have a password policy hardly enforce it in reality. This is where they commit a mistake, making valuable business information vulnerable to security breaches and theft. To prevent unauthorized access to any device, a password is a must. 

The advice goes the same with small healthcare environments, as well. The need to have a strong password is even more essential in the healthcare space as millions of sensitive patient data is handled every day across systems and networks. Hence, small healthcare businesses should enforce a password that no one can easily guess and must keep changing it every 60 to 90 days.

Here are the characteristics of a strong password:

• Passwords should be lengthy, at least should include eight characters.
• It should be a combination of lower case and upper case letters along with at least one number, and on a special character.

*Note: Passwords based on name, date of birth, social security number, or any information quickly found on the social media site should be avoided.

Backing up Data Regularly

Creating a backup should be a routine exercise for all businesses. However, for small practices, backups are considered only when a crash takes place, or a data loss incident occurs, which is of no use as already damage will be done. Hence, right from the day the EHR system is installed in your practice, small healthcare businesses must start backing up the information, and it should be done regularly.

From database to human resource files, payable accounts, electronic spreadsheets, processing documents, and financial records, everything should be properly backed up so that it can be quickly restored when needed.

Cool stock photo, eh?

Businesses must test their backup data regularly to check how readily it can restore all the information. No matter where you hold the data backup, ensure that it is stored safely. One of the best options for backup storage is cloud computing, as it requires no technical expertise and huge investment. However, businesses should carefully select cloud backup so that the original file remains intact.

Install System Anti-Virus

Without proper anti-virus software installed in your EHRs, your healthcare data is at risk. Cyber attackers may steal, destroy, or take over the control of your system to access valuable information stored in your EHRs in the absence of protection.

However, often, small healthcare businesses overlook the importance of having anti-virus protection, thinking that cyber-attacks mostly target big companies. As a result, they end up losing sensitive data. So, the installation of anti-virus is a must no matter what is the size of your business. 

Your computer may be infected in multiple ways. From phishing attacks where the system gets infected when the user clicks the malicious link to outside sources like web downloads, emails, CDs, and flash drives, all these can bring the virus into your system if you don’t have anti-virus software installed.

Moreover, once installed, the software needs to be updated regularly to keep it up-to-date and competent to fight the latest threats.

Following are some symptoms that indicate your computer has been infected and you must take immediate measure:

• Browser leads to unwanted internet pages.
• Without any reason, the system repeatedly crashes
• Unwanted ads pop up on the screen
• The system doesn’t start normally
• User has no control on the pointer/mouse

Control Electronic Health Information Access

Setting up the password of your EHR system isn’t enough. An added layer of protection is necessary to prevent any unauthorized access to electronic health information. And for that, what could be better than limiting the access to such data to medical staff who need to know.

Not everyone in your small practice might need to access information. In that case, only those members should be identified and given access to electronic health information who need it and not sharing it with everyone.

Every staff within the practice has some specified role. Based on what information your team may need to function, share only those data with them. Grant access for each role based on who needs access to what kind of information in the EHR system.

The access control system can either be on the use of the operating system or may be built-in within a particular application or both. This will ensure that randomly, anyone in your practice doesn’t have permission to access anything even if it’s not in their area of work.

Control Network Access

In today’s office environment, the use of contemporary networking tools and technologies like instant messaging and peer-to-peer file sharing is quite common and popular as well. Even for broadband connections, offices use wireless routing, which makes networking easier but is also subject to unauthorized entries.

Especially in a healthcare setup, the use of these technologies threatens the security of sensitive healthcare information as the tools may open ways for outsiders to get access to the network of a healthcare practice.

Like others, even small practices rely on wireless routers for internet connectivity, which can be shared among multiple computers within the same network of the practice. However, while doing so, practices need to ensure that their wireless router is secured or else the signal can be picked up by someone else, which may pose a threat to the information being shared and accessed through the network.

That is why only authorized persons must get access to the network. Moreover, wireless routers should be protected with proper encryption codes.

Follow Good Computer Habits

Like the way maintaining good health is essential. Similarly, maintenance of good computer habits is key to ensure that your IT system functions properly and is less susceptible to cyber-attacks. Healthcare practices must pay heed to the proper maintenance of their IT setup, including the EHR system, to prevent cyber threats and security breaches, causing loss of data.

Here are some measures for small healthcare practices to follow:

• Perform regular configuration, malware, vulnerability, and all other security audits.
• While installing software, do not accept default configurations settings.
• Within the operating system’s configuration, disable remote file sharing and printing.
• Deactivate the user accounts of former employees.
• Uninstall software that is no longer needed.
• Monitor urgent and critical patches and pay attention to timely updates.

Limit Physical Access to Health Information

Besides network and information, access to devices carrying electronic health information should also be secured from unauthorized access. Data is not only stolen via the network breaches. Even loss by accident or theft of device carrying the electronic health data can be held responsible.

About half of the data losses reported involved loss of devices like laptops, hard drives, CDs, desktop computers, flash drives, and DVDs consisting of medical data.

While businesses pay attention to securing files and information with passwords and access controls, what they miss out is the need to protect devices as well. If physical access to devices used in your small healthcare environment is not limited and controlled, then the chances of the device getting stolen, lost, or tampered increases.

That is why businesses should take strict actions to limit physical access. For instance, they can secure machines in locked rooms, restrict device movement from protected and secured areas, etc.

Small practices should remember two things while locating the server consisting of electronic health information within the EHR system – one is physical, and the other is environmental aspects. Physical protection would include restricting unauthorized individuals to access the server, and environmental protection would mean protection from water, fire, and other surroundings related factors.

The cybercriminals keep waiting for a mistake or loophole on your part to take advantage and steal valuable data. As the use of the internet kept spreading, cyber threats continued to become a concern for many. Hence, to prevent data theft or unauthorized intrusion into your healthcare network, spreading awareness on cybersecurity measures among your medical staff and staying up-to-date with the latest technologies and software that can secure your network and data is crucial.

Featured Image Credit: Campus Safety Magazine