Knowledge Center

10 Things You Should Know About Healthcare IT Security 

Feb 19, 2018 4:13:37 PM / by Medicus IT


It seems almost every day that you hear of a new data breach that happened to a well-known company like Uber or Equifax--Imagine how many more security breaches that are likely occurring that you don't hear about.

Small businesses and practices are being targeted every day in the cyber world, and it could happen to anyone at any time! If you work in a Healthcare practice, then you know if a hacker got a hold of your patient data it could be detrimental to your practice. We put together a list of 10 things that we feel every healthcare practice should be aware of to help prevent future breaches from occurring.


It's not a matter of if a breach will occur but when it will happen.


10 Things you should know regarding Healthcare IT security:


1. Installation of software without prior approval should be prohibited.

Your employees should not have authorization to download a new software because they could download a virus, malware, or even ransomware opening the practice up to risk.


2. Disclosure of ePHI via electronic means is strictly forbidden without appropriate authorization from supervisor.

Employees should not be using text messages, emails, or other insecure electronic means to communicate any ePHI to anyone, internal or external. Some practices which have Exchange email can send information internally.


3. Copiers with built-in capabilities to scan and email ePHI to associates may be unsecured. 

Many copiers are using insecure communication and forwarders to send scanned documents to employees which presents a significant risk to many practices today. Check with your copier vendor and IT group to check these settings.


4. All corporate computer systems with ePHI should be subject to audit

To make sure your company computer systems are HIPAA compliant at all times you should conduct regular audits and receive monthly reports from your IT group showing security patches, antivirus, backup, and asset reports.


5. All computers should be manually locked, locked via a screen saver, or logged off when unattended.

Establishing efficient locking procedures for computers will keep patient data safe when your employees must leave their workstations unattended multiple times a day.  Manually locking can be enforced by your server and can help prevent ePHI safe.


If you would like to learn more about being HIPAA compliant and meeting security standards then check out our next HIPAA Lunch & Learn.


6. Access practice resources utilizing YOUR username and password only – NO PASSWORD SHARING.

Always use YOUR login information when using company property. Not using your login information can cause some serious issues if someone is sharing patient data and using someone else's login information to do it. Ensure that passwords are changed frequently and enforce all users to switch.


7. HIPAA requirements mandate that practices create and maintain system access logs and regularly audit them.

Know who has access to your networks at all times. If someone is no longer an employee, then updating their information to deny them future access should be one of the first things you do!  Get your IT partner to send you monthly reports on users with access to the network and periodically audit your PM/EMR system for user access as well.


8. Computers should only be used for business related functions and not for personal use.

As much as we all love to browse Facebook during downtime make sure it's not being done on company property unless it's your company page. Implement internet security and website blocking solutions to reduce the company’s risk.


9. Do not open emails from an untrustworthy source. If you believe an email is a phishing scam, then report it as spam immediately!

If you believe an email looks fishy, then it's better to mark it as spam or call your IT partner before opening it. Better safe than sorry! It is also recommended to do ongoing employee phishing campaigns each month to educate your employees and to see who in your practice needs more training and is a risk to the organization.


10. Access to ePHI should be granted only to authorized individuals with a “need to know.”

Your employees shouldn't have access to sensitive information unless it's necessary--the fewer people that have access to confidential information than the better. Review your Practice Management and Electronic Medical Records systems today and reduce access by job role..


Many security breaches occur because of uninformed staff members or negligence. It’s important to provide training to your staff members to avoid major financial penalties when a breach happens.


“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.” -Kevin Mitnick


Want more information on how Medicus IT can help with your IT needs and help your practice maintain HIPAA compliance? Contact us to see how we can help with your IT needs!



Topics: Healthcare Security

Medicus IT

Written by Medicus IT