What Are You Doing To Protect Your Patient’s Data & Your Practice?
Cyberattacks targeting the healthcare industry have doubled over the last year and ransomware appears to be the preferred method of gaining entry to the organization’s sensitive collection of patient data, according to an IBM Security Report released by the X-Force Threat Intelligence Index. Unfortunately, according to the FBI and cybersecurity and data protection services experts, this is because organizations that operate within the healthcare sector tend to have fewer dollars to commit to IT security and, thus, are unable to implement stronger cybersecurity measures practices. As a result, bad actors have targeted healthcare organizations as easy prey.
Don’t Give Hackers Free Reign
Think about all the patient information being stored in your existing files, many of which are electronic. If a hacker were to gain access to this information, they could be able to use it to unlock your patients’ bank accounts or uncover their prescription medications. But your computer systems aren’t the only way cybercriminals can gain access to this information. The FBI cites a SANS Institute report that describes other ways criminals could potentially access critical patient information.
Can You Answer The Hard Questions?
This is all pretty alarming information. Especially if you’re not already aware of the growing cyber danger healthcare organizations like dental practices, vision centers, and general medical practitioners face daily. Now the hard question:
How strong are the IT security practices within your practice?
If you’re not sure how you stack up against others in your industry or if you simply don’t know whether your practice is protected, then it’s time to consider the steps you can take to ensure that your practice’s IT systems are adequately secure. Read on for six IT security considerations for medical professionals.
IT Security Considerations For Your Dental Practice
1. Do you currently use outdated software or office products?
Microsoft, for example, regularly stops supporting older versions of its operating system, which means the company is no longer putting in the effort to build and provide security patches for its users. If your software company is no longer providing you with software updates, you actually are at a higher risk of a security breach. Computer systems are kind of like a “go-to” example. However, this same scenario could impact other outdated products, including attached printers or surveillance cameras? Take a walk around your office and make a note of the technology currently being used throughout your practice. Are updates needed to ensure there are no kinks in your digital armor?
2. Do you have a disaster recovery plan in place?
If you’re not sure what you would do if your practice had a data breach, then now is a good time to put a disaster recovery plan in place. For example, your plan to protect (and, if necessary, recover vital information to your business doesn’t include storing your data in an offsite location several miles away from your practice, make a plan to get this plan in place immediately. Then, once you have established a backup location for your data, check the integrity of your backup data regularly to ensure that, if your practice were to go down tomorrow, you would be able to restore critical information and maintain daily business operations. Do you have an offsite location where you store data? If so, make sure to test offsite backup data for accuracy and completeness. Re-access the priority of applications used to perform your main processing. An application priority listing is essential in the event of a disaster so that immediate recovery of your practice can begin.
3. When was the last time you reviewed your service agreements?
If it’s been a while, review all of your service agreements to verify that you aren’t paying for equipment or software that has been taken out of service. Ask yourself if it would be less expensive to replace equipment that’s been taken out of service in order to ensure stronger security than pay for maintenance and possible security breach?
4. Do the right people have access to your IT systems?
Review user logins to ensure that only the right employees have access to your network. Don’t leave unnecessary logins (i.e. former employees’ logins) active so that they could be improperly accessed. This is especially important if you’re operating in a cloud-based environment. You should also test shared drive directories to guarantee areas that store sensitive data are still secure and only accessible by employees who actually need access for their job responsibilities.
5. Does your dental practice have an IT policy for its employees?
If you don’t already have an IT policy in place for your employees, you’ll want to make this a priority. If employees can access the Internet at your practice, consider what you’ll want them to be able to gain access to and whether it’s pertinent to their jobs. Remember, certain websites are riskier than others. It’s up to you to determine the perimeters of their access. In other words, an “all-access internet pass” is just a data breach waiting to happen. When considering your IT policy, don’t forget about the smart devices employees may own and may bring into the office and how they might impact the security of your practice’s internal network.
6. Do you store any patient financial data on your network?
If you do, then you’ll want to make sure that you use extreme caution about where and how you store that data and whether it’s even necessary to store it in the first place. Ensure that your practice is not storing credit card numbers, Social Security numbers, or checking/routing numbers in an insecure environment. Don’t forget to educate your employees about the importance of this important security measure.
Contact Our Dental Practice Professionals
Not sure how to begin evaluating the strength of your practice’s IT security? Contact Rea & Associates to speak with one of our cybersecurity and data protection services experts who specialize in the unique cyber risks facing practice owners. Our team can help you secure your existing data, comply with HIPAA responsibilities, and help you put a plan in place to guard against bad actors moving forward.
By Travis Strong, CISA (Wooster, OH)