Hackers and data thieves will use all sorts of methods to try and gain access to your patient's data — whether it's through phishing, malware, ransomware, investment scams, etc.
According to ECRI's 2019 Top Health Technology Hazards, the most common way hackers try and break into your systems is through remote access.
“Remote access systems are a common target because they are, by nature, publicly accessible. They are intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility; remote access systems can be exploited for illegitimate purposes,” the reports note.
Hackers and scammers can take advantage of healthcare practices that use unmaintained or vulnerable remote access systems to gain easy access to that organization's network.
Once they can gain access, these hackers can move to other connected devices or systems, "installing ransomware or other malware, stealing data or rendering it unusable, or hijacking computing resources for other purposes, such as to generate cryptocurrency," the report continues.
So, if you're worried that your remote access security isn't strong enough to defend your systems from hackers, then follow these security tips.
You must remain in total control of your remote access points, which means that you should continuously identify your past and current access points.
For past points, make sure that they are properly cut off from further access. For example, if you severed ties with a third-party IT firm.
For current points, make to document them so that your IT department is well aware of all of them. It's also important that your other employees are aware of where your remote access points are so that they can be on the lookout for anyone pretending to be someone they are not (i.e., a scammer pretending to be a third-party partner who needs access to your system).
At all times, you should closely monitor these access points — as well as putting up the proper safeguards to protect them (just as you would for your internal access points).
One way to safeguard your remote access points is by implementing a firm password policy.
Would you believe that "123456" was the most commonly used password in 2019 — Followed by "123456789," "qwerty," and "password"?
Well, sadly, that's the truth.
Enforcing a universal password policy throughout your organization — regardless of whether or not an employee uses a remote access point — will help ensure the safety of your patient's data.
For example, make sure they use 8-12 characters, complete with special characters, uppercase letters, and a number. They should also avoid names, including family members, pets, and sports teams (that CNN article listed the "Cowboys" as one of the top passwords as well).
You should also patch your remote access systems whenever possible. The software and other technology you use for keeping your data secure can always be improved, and your software provider likely releases patches frequently that should be installed to ensure your systems are up-to-date.
Never assume that the software you incorporated into your security systems is going to do the job for years to come without maintenance and patching.
Keeping tabs on who is accessing your remote points is also important — especially for diagnosing a potential breach.
If you're properly logging who is using your remote access points, then you can go back into the log and look through it to see who was online when the breach took place.
HIPAA requires system logging, so ensure you are adequately doing so.
This one should go without saying, but make sure that everyone throughout your organization understands how their role relates to HIPAA and how to be compliant.
It's essential to have your HIPAA-compliant operations and procedures carefully outlined for all employees to find. In addition to this, it's smart to also partner with a third-party IT provider that is well-versed in HIPAA.
Your patient's data comes in two different forms.
First, it comes in a physical form — like paper. Typically the easier form to discard, as shredding will usually get the job done.
The other form is digital, which can be a little more tricky to remain HIPAA compliant when disposing of it. Disposing of digital information will involve purging, clearing, or destroying the storage device.
For a more comprehensive look into how to properly dispose of personal data — whether physical or digital — visit this resource from the Health and Human Services website.
When we typically consider data breaches and hacks, we often think about a hacker in a dark room furiously typing to try and gain access to our systems. However, sometimes, it's as simple as a healthcare practice's employee being careless with a portable device, like a laptop.
In fact, over the past few years, there have been multiple data breaches that have occurred due to someone outside of the healthcare organization stealing a portable device that contained protected health information.
One thing healthcare organizations should always do to prevent those breaches: Encrypt all devices that might hold patient data, including laptops, smartphones, tablets, and portable USB drives.
In addition to providing encrypted devices for employees, it’s crucial to have a strict policy against carrying data on an unencrypted personal device.
To ensure your patient's private information is secure, team up with Medicus IT today.
We understand the importance of security in the healthcare industry, which is why we have a robust and comprehensive service offering for healthcare practices that are looking to upgrade their IT security.
Contact us if you'd like to learn more about how we can help you keep your data safe.