Healthcare providers have a responsibility to protect patient data. Not only because it’s the right thing to do, but also because they are regulated by HIPAA. Having the right cyber security measures in place for your medical practice is important. There is a lot of things that you can do, but some measures offer more protection than others. Here are our top 7 security tips for your medical practice based on the current threat landscape and our experience providing IT support for numerous healthcare organizations.
Current Threat Landscape
Healthcare organizations are under constant attack. Attackers usually target the weakest parts of your security. In most cases that means your people in one way or another. Social Engineering and Phishing attacks have become more common than ever before. There has also been a significant increase in business email compromise attacks as well. Both rely on tricking a human to gain initial access.
According to Cybint, “95% of cybersecurity breaches are caused by human error, meaning they were likely preventable. Yes, you read that right.”
Remote connections are another area that has had an increased number of attacks in recent years. Many of these connections were set up quickly during COVID and were not secured properly. Some don’t have multi-factor authentication configured.
Once a hacker gains access to your network, ransomware is one of the most common next steps. This is where they encrypt all your data so that you are unable to work, and then hold it for ransom. If you pay them off (sometimes to the tune of hundreds of thousands of dollars) they will supposedly give you the decryption key to get your data back.
Tips to Stay Safe
With that brief but sobering landscape of cyber threats you may be wondering what you can do to protect patient data. Here are our top 7 security tips for your medical practice.
1. Train Your Users
People are usually the weakest link in network security, and so our efforts to secure the network need to start with them. HIPAA training teaches your clients how to work with EPHI but doesn’t always train them on the different cybersecurity threats and what to look for.
We recommend training all your staff on cybersecurity. This training focuses on the various threats that they may see in their day-to-day work. It teaches them how to spot a scam, and what to do and not do when they see a phishing attempt. It also allows you to send test phishing messages to all users before and after the training so that you can measure progress and identify which users might need additional support.
Taking the time to better train your users lowers your risk as an organization. It will help your users not to fall victim to social engineering and phishing. It also is a requirement for most cyber security insurance policies, and one of the most effective things you can do to mitigate risk.
2. Email Security
Email security solutions are another key to helping protect your humans. If we can do a better job preventing that phishing email from ever reaching their mailbox, they won’t even have a chance to click on it and put you at risk.
Encrypted email solutions are a requirement for any healthcare that emails PHI and may of the solutions that allow encryption will also give you protections against spam, phishing, and malicious attachments.
Talk with your IT team to make sure that you have a quality email security platform in place.
3. Multifactor Authentication
Another step you can take is to secure everything possible with MFA. Your EHR software should be configured with MFA. Office 365 and other applications should be secured with MFA. All remote connections into the network should be secured with MFA.
Remote connections such as VPN have recently been a larger target than ever before. Once they have access to the VPN and are on the network, they can usually gain access to servers and additional resources from there. That allows them to wreak havoc with ransomware or other malicious code. Properly leveraging MFA can help to prevent them from ever gaining access to the network in the first place.
4. Backups
HIPAA requires all healthcare entities with patient data to backup that data regularly. If you house or access any patient data, you need to have quality backups. We have seen attacks where the network was infected with ransomware and the backup was infected as well. Here’s how you can prevent that.
Any local backups on your network need to be segregated from the rest of the network. If done properly this will allow you to protect them from ransomware. You should also have an offsite backup of all patient data. That way if the worst happened and your data was encrypted, you would still be able to recover from that offsite source.
5. Protect the Endpoint
Another step you can take is to protect individual desktops and laptops. One of the most effective things you can do is to install an endpoint detection and response solution. Think of this like the latest and greatest in antivirus.
The very best EDR solutions can quarantine an infected computer and cut off network access so that an attack can’t spread. They are also attached to a live security operations team that will notify you and your IT team of any infections or malicious code identified.
6. Privilege Access Management
Another step you can take to protect your network is putting in place privilege access management software. This solution is designed so that you can have an approved list of end user installable apps like office, adobe, your HER, and others that are known good software.
Anything that is not on this list of approved applications flags your IT team before allowing the user to install. This adds a layer of protection to your network because it prevents users from installing malware or keyloggers. Since ransomware spreads by probing the network and installing on additional machines it can also offer additional protection against ransomware.
7. Current OS and Security Patches
This may seem like a simple concept, but it’s important to keep your operating system up to date and apply all available security patches. An older unsupported operating system quickly becomes insecure because it no longer has security patches or updates. The bad guys will continue working to find vulnerabilities, but he software manufacturer has said they will no longer try to repair them. If you stay on a supported operating system this won’t be an issue.
Security patches from Microsoft come out every single week. They need to be applied in a timely manner to allow your organization to stay secure. Talk with your IT team and ensure that you have a plan in place to make sure that these happen regularly.
A Layered Approach
As you can see there is no single solution that will remedy all the potential points of entry an attacker may try. We find that a layered approach to security is typically the most effective. This is also not an exhaustive list of what you could do, and there are some additional things that you probably should do that have not been included for brevity.
Conclusion
Cyber security and HIPAA compliance can be complex and time consuming. It’s also an absolute necessity for medical practices. You have an obligation to your patients to protect their PHI. We hope that these tips have served as a primer to get you thinking about some things that you can do for your organization. i.t.NOW has a team of security professionals ready to help if you decide you would rather be treating patients than dealing with cyber security. Leverage our years of experience in healthcare IT and get back your time to do what you do best – give amazing patient care.
Photo by MART PRODUCTION: https://www.pexels.com/photo/photo-of-gynecologist-sitting-near-medical-equipment-7088498/
