The patient information stored on your office computer systems is a prime target for cybersecurity attacks and data breaches. Why? Personal health information is worth money on the black market. Common vulnerabilities in most medical practices include non-secure texting, email and credit card terminals. And with health care becoming more entwined with technology by the second, it’s important to make sure you are protecting yourself – and your patients.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of protected electronic health information.
Being prepared is key – top resources recommend these tips to get started:
- Consider hiring an outside consultant or firm to review your digital security and help you protect patient data.
- Conduct a risk analysis of all applications and systems, including record retention. You may find the HIPAA Security Risk Assessment Tool helpful.
- Review access and control policies.
- Use up-to-date antivirus software and advanced security solutions.
- Know your system well and develop and maintain a security plan. A plan typically includes:
- Having working knowledge of your hardware and software.
- Isolating sensitive systems and data.
- Encrypting work stations, laptops, smartphones, tablets, portable media and backup devices.
- Reviewing audit records regularly.
- Conducting desktop drills.
- Keeping protocols and policies up-to-date.
- Frequently reviewing and updating your plan.
- Avoid clicking on unknown links to websites or links in emails. It’s always a good idea to check the sender’s actual email address and the real URL of any links (hover your mouse over the text) in unknown emails. And always keep an eye out for nonsensical or out-of-character emails from people you do know – that’s a sure sign their email was hacked or that they are not actually the sender.
- Use different passwords at each website. Consider using a password manager if you have difficulty remembering them all.
- Always use a mix of upper and lowercase letters, numbers and characters when creating passwords.
- If you receive an unexpected email from say, a bank or vendor, it’s better to play it safe than sorry. You can call the company directly and have them verify if they emailed you recently.
- Refine firewall filters to block bad traffic.
- Have an automated back-up system onsite with a mirror-image copy offsite to implement a quick recovery if you fall victim to a cyber-attack.
- Evaluate business associates (per the HIPAA Security Rule).
- Check to see if cyber security is covered under one of your current insurance policies or if a separate policy is needed.
- Look into anomaly detection and signature-based software, as these can report on trends which could indicate a cybersecurity attack or breach.
Looking for additional information? Check out the Department of Health and Human Service’s HIPAA for Professionals.