Surgical practices spend so much time worrying about running afoul of HIPAA legislation that it can be easy to overlook the importance of cybersecurity. However, it’s not something to be taken lightly. According to the Verizon Data Breach Investigations Report, medical data is the most commonly breached data.
We spoke to cybersecurity expert Jack Kustanowitz, founder and principal at MountainPass Technology, who specializes in health tech and security to understand some of the most common threats and tips to overcome them.
Here is a summary of the discussion and tips to ensure your surgical practice is cyber secure:
Following HIPAA helps with cybersecurity
It turns out that HIPAA legislation does more than cover patient privacy, it also helps with cybersecurity by ensuring data and sensitive information is not exposed. For example:
- Making sure staff don’t leave documents/records lying around the office, especially in public places.
- Ensuring sure staff don’t keep passwords on Post-it notes next to their monitors. This is problematic both from a cybersecurity and HIPAA perspective.
- Checking that all terminals have antivirus software installed and terminals auto-lock after a certain amount of time if no-one is active on the machine.
Antivirus is a must for every machine
As mentioned above, make sure you have up-to-date antivirus installed on every machine in the practice – including laptops that are used for remote work. This protects employees against basic human error, such as clicking on a phishing attack or installing ransomware.
All on-site systems should have regular off-site backups. That means if there’s an attack, you have a safe point of reference to go back to. Used alongside antivirus software, you’re reducing the odds of attack, and reducing the impact of a possible attack (if it happens).
Staff should also be trained on password security. The best practice these days is to store passwords in a password safe such as LastPass and 1Password. These password safes work by storing an encrypted version of the passwords in a way that even the companies themselves can’t retrieve them.
Ensure staff working remotely are secure
With an increase in remote work, staff who need to access PHI should do so from a work laptop only. The work machine should have all antivirus software updated and only connect to a secure home WIFI network. For general security, staff should be vigilant that every computer that connects to their home network should also have antivirus software installed and every computer that’s on this network should be protected in the same way as an office workstation.
Mobile devices also need to be secure
Ensure – both for personal protection and for PHI – to implement either a lock code, biometric-enabled fingerprint or face ID for any mobile device. That means that if someone gets hold of your phone somehow, they won’t be able to access any sensitive information it may contain.
Do not send PHI over SMS/Text messages or personal email accounts
Practices need to make it very clear that staff should not send text messages containing PHI to other staff – and this includes surgeons. Additionally, staff should not use personal email accounts to send PHI as this may not be secure. Staff should only use their work emails or HIPAA compliant messaging apps to transfer PHI and communicate about patient data. This will guarantee end-to-end encryption and is the only secure way to communicate.
Two-factor authentication is better than one
For additional security, set up two-factor authentication for all accounts. This means in addition to needing a password to log in, users get a notification – usually to their cell phone – to make sure that they are actually the person trying to log in.
This way, if anyone else tries to access your work account, you can deny the authentication and they would not be able to get into your account – even with your password.
Bottom line – cybersecurity adds a layer of hassle, but it’s a necessary hassle
Just like security at airports is annoying, it’s something we’ve all come to live with. Being cognizant and taking precautions against cybersecurity in surgical practices is the same. Management at the practice should foster an environment that encourages staff to be aware of data security at all times. The policies mentioned above can make working life more challenging, but knowing your surgical practice has covered all the bases and has protected as much data as possible is very important and will hopefully ensure your practice is protected from any data breach and patient information won’t be compromised.
To hear Jack Kustanowitz talk about cybersecurity with our very own Justin Rockman, watch our webcast here.