Medical practices are quickly getting a dose of reality on how critical it has become to protect information systems in the wake of the city of Atlanta ransomware attack this past month. An attack that caused courthouse documents and services like payment processing to become inaccessible for consumers.
Costs quickly add up to respond, correct and recover from a security breach. According to a recent article, written by Engadget, “The ransom demand was approximately $51,000, but according to the city’s Department of Procurement, Atlanta has spent much more than that on efforts to rectify the situation.” The city of Atlanta is reportedly facing a $2.7 million price tag to fix the issue.
The purpose of the HIPAA Security Rule is to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of ePHI; protecting the practice and its patients. Practices must diligently prepare to protect itself from a security breach. It is imperative and a requirement for all practices to implement systems, policies, and procedures to protect electronic protected health information (ePHI).
To help prepare practices for such instances, we put together nine simple tips that every practice should know to help prevent and respond to security incidents.
1. Conduct a Security Risk Assessment
Understand potential security threats (e.g., downtime and costs associated with ransomware) and the impact they may have on your practice (risk and lost revenue). Use this information to shape your overall security strategy while understanding the risk and likelihood of each scenario occurring.
2. Train Your Employees
Because cybersecurity threats are continually evolving, an ongoing training plan for employees must be implemented. The training should include examples of security risks, as well as instruction on security best practices (e.g., lock laptops when away from your desk). Train your employees and then hold them accountable to follow the practice’s policies diligently.
3. Protect Your Network and Devices
Implement a password policy that requires strong passwords that expire every 90 days. Deploy firewall, VPN and antivirus technologies to ensure your network and endpoints are not vulnerable to attacks. Consider implementing multi-factor authentication and encryption for hard drives. Constant network monitoring is vital especially if you work in healthcare where ransomware attacks are a daily occurrence.
4. Update Your Software
It is essential to use current software products and be vigilant about patch management. Cybercriminals exploit software vulnerabilities utilizing a variety of tactics to gain access to computers and data.
5. Create Straightforward Cybersecurity Policies
Write and distribute a clear set of rules and instructions on cybersecurity and distribute to all employees of the practice. These policies may include policies on social media use, personal device use, authentication requirements, and even what employees can and can’t do on the company computers and network.
6. Back Up Your Data
Regular backups are a requirement to recover from data corruption or loss resulting from security breaches. Consider using a modern data protection tool that takes incremental backups of data periodically throughout the day to prevent data loss.
7. Enable Uptime
Choose a modern data protection solution that enables “instant recovery” of data and applications. Application downtime can significantly impact your business’ ability to generate revenue.
8. Know Where Your Data Resides
Maintaining oversight of business data is an essential piece of the security puzzle. The more places data exists, the more likely it is that unauthorized individuals can gain access to it. Avoid “shadow IT,” which is information-technology tools and systems used inside practices without explicitly organizational approval. An example of this is employees using Dropbox to share data without knowledge to the practice.
9. Control Access To Computer
Use security cards or similar security measures to control access to facilities. Ensure that employees use strong passwords for access to all systems. Remove administrative privileges from all parties who do not need them on a regular basis to reduce the risk.