Cyber attacks on healthcare networks have increased dramatically in recent years, but there are steps to protect your practice.
Privacy is a major concern for individuals across the digital world, but this is especially true for patients and their Protected Health Information (PHI), which command a high price on the dark web. Unfortunately, the reality is that cyber attacks on healthcare networks have increased exponentially in recent years, putting highly sensitive patient information at risk. Healthcare IT can help by ramping up security measures, and organizations can provide up-to-date cybersecurity training for employees.
Here are some cybersecurity basics and best practices to follow:
Conducting healthcare cybersecurity training
Human error or negligence can have severe and costly consequences for healthcare organizations. Cybersecurity training provides healthcare professionals with the information they need to make wise decisions and exercise appropriate caution while managing patient data. In particular, effective cybersecurity training should help employees recognize and stop attacks before they cause harm. The best place to start is to consult with a trusted cybersecurity provider who will work with you to design a cybersecurity training program and train employees to protect your data.
Another reason why cybersecurity training is vital is that it is mandated by HIPAA. Specifically, the HIPAA Privacy Rule contains a requirement that the service provider “train all members of its workforce in policies and procedures relating to protected health information,” and the HIPAA Security Rule includes a similar requirement for the service provider “to implement a security awareness and training program for all personnel of the force.” operating (including management).” With this training applied, and repeated often, employees are better equipped to recognize situations where the use of PHI requires special protection, such as the use of HIPAA compliant email or role-based access controls.
In addition to recognizing threats, employees must also be trained in the organization’s data incident reporting protocol when an employee’s device becomes infected with a virus or functions abnormally. Warning signs of such problems may include a device running slowly, unexplained errors, changes in the way your computer works, etc. They must understand how to identify a real warning message or alert and promptly report such incidents to IT personnel.
Stay informed of HIPAA’s privacy and security rules
In addition to the previously mentioned training requirements, the HIPAA Privacy and Security Rules include a wide range of provisions to help protect patient data.
The HIPAA Security Rule ensures the security of electronic health information generated, used and maintained by covered entities, i.e. organizations subject to HIPAA law. In the HIPAA Security Act, policies and procedures for how to manage protected health information are established from administrative, physical, and technical perspectives.
According to the privacy rule, the information cannot be used or shared without the patient’s permission. In accordance with the HIPAA Privacy Rule, personal health information, including medical records, insurance information, and other sensitive data, must be protected.
These rules have seen a number of updates since they were first added to HIPAA in 2000 (Privacy Rule) and 2003 (Security Rule), including the recent Notice of Telehealth Enforcement Estimate, which was enacted during the pandemic to give providers more flexibility in Use of telecommunication tools for telehealth services.
It is important for healthcare providers and employees to stay up-to-date with HIPAA regulations and rules as part of their cybersecurity training.
Use strong passwords
Passwords can be an easy target for malicious actors to exploit. A weak password is one of the most serious risks to the company’s security. Organizations such as the National Institute of Standards in Technology (NIST) regularly publish and update their recommended password guidelines. NIST’s most recent recommendations* include:
- Password length is more important than password complexity.
- Do not force a regular password reset.
- Implement two-factor authentication, which requires an additional form of identification — such as access to an email account — to use to authenticate a user.
- Use a password manager, which encourages employees to choose stronger passwords
Beware of unknown emails
One of the most common ways hackers gain access to a corporate network is through email phishing attacks, also known as email spoofing or email spoofing. Phishing is a malicious attempt to trick recipients into giving up personal and online account information in order to gain access to and exploit more valuable and sensitive systems.
Within healthcare practices, display name spoofing – a targeted phishing attack in which an email display name is changed to make the message appear to come from a trusted source – is a frequent attack strategy used by bad actors. Although there is technology specifically designed to combat display name spoofing, when it comes to training, it is important for employees to understand the who, what, where, when and why of every email they receive. especially:
- Never blindly click on an attachment or link.
- Beware of messages that seem too good to be true or too urgent.
- Hover over the display name to see the sender’s email address.
- Check not only the email address but all the email header information.
- If you’re on a mobile device and you’re not sure about a message, open it on your PC as well.
- If you suspect an email message, contact the sender in another way.
Often the best defense is a good attack and being prepared and educated about cybersecurity threats is of paramount importance to healthcare practices. The combination of strong IT safeguards, as well as cyber security-aware personnel, can go a long way in conducting your practice in a safe and secure manner.
Shawn Dickerson is Vice President of Marketing for Pauboxa leading provider of HIPAA compliant email and marketing solutions for healthcare organizations.