HEALTHCARE CYBER SECURITY | 9.5 MIN READ
Cyber attacks threaten the livelihood of the healthcare industry on a daily basis. They can cause hospitals to temporarily turn away patients or re-route ambulances, and your company can be sued by customers and patients whose private information was accessed.
If you're a hospital or private practice, hackers who access your charting or medical dispensing systems can log all employees out of the system, which can slow or halt appointment progress, keep employees from accessing critical information on how to treat patients, and can increase the chance of medical errors occurring.
If a hacker accesses private information at all, your company could be penalized for breaking HIPAA. Breaking HIPAA could come with a host of penalties, from your company or practice being forced to cease daily functions to employees losing their medical licenses.
If you wish to avoid facing the potential consequences of a cyber attack, you need to ensure that your company or practice has sufficient cyber security measures. Read on to discover some basic do's and don'ts when it comes to making sure your organization's cyber security efforts are strong enough.
When people imagine how hackers access private medical records, they think of the usual avenues like hacking an employee's email account or stealing physical files from the building.
However, imagine this scenario. Think of all the private documents that your employees copy, print, and scan every day. Now imagine a hacker having access to the data on those copiers and printers.
When hackers think of which parts of a business network to target, many might think to aim for computers because of all the sensitive documents and programs stored on them, but sometimes, hackers instead aim directly for the printers and copiers.
Hackers know these machines tend to have less security than a computer and might potentially contain sensitive documents on their hard drives.
Though it sounds surprising, hackers can access medical files through your copiers and printers. Since copiers and printers are an overlooked aspect of a business' security plan, they're often left unsecured.
If a printer or copier is left unsecured, a hacker can remotely access either all the files previously scanned/copied and stored in the hard drive, or, they can hack the machine to use it as an entrance point to break into a company's entire network.
For older copiers and printers with less security, hackers who physically visit your office can simply plug a malware-loaded flash drive into one of your copiers or printers, infect the machine, and then infect a company's entire network.
This same dangerous scenario can potentially play out on newer machines too if you enable features that let you access documents stored on your copiers and printers from your computer.
These hard drives are unsecured, which means a hacker can hack the copier, access these documents, and then access your network. When setting up your copiers and printers, disable this feature, if you can.
Personal copiers and printers typically used in managers' offices come with a host of security risks. Since these machines are usually intended for home use, security isn't as much of a priority when manufacturers build them.
For instance, personal printers can have a "print from anywhere" feature that lets you print documents even when you're away from the office. However, this "print from anywhere" feature has little security because it has to create a hole in your firewall to allow you to communicate with the machine from anywhere in the world.
This hole in your firewall can let a hacker access the machine and anything scanned on it, documents and files on that employee's computer, and potentially even access the whole company's network.
While enabling a "remote support tools" feature lets your machine dealer remotely assist you in fixing issues, this two-way form of communication creates network security gaps.
If you have this feature on your copiers and printers, either turn this feature off or try to opt in to one-way outbound machine support with your dealer.
To patch a potential security threat in your business, consider upgrading to newer copiers and printers because of their updated security features.
For instance, some newer models created within the last 5-6 years have data security kits that you can enable. These kits can have data encryption functions, which scramble the data stored on your copiers and printers, rendering the information useless to a hacker.
Additionally, on some newer models of brands like Canon and Sharp, data security kits might also have features that, when a document is scanned, copied, or printed, erase those documents from the hard drive up to 28 times.
Newer copiers can have features like Transport Layer Security (TLS) that encrypt scanned files that the machine sends to your email, as well as newer versions of Server Message Block (SMB), which securely scans documents to a folder on your computer instead of your email.
Keep in mind that if your machines are older than two years, you most likely don't have the latest and most secure forms of SMB.
Finally, scanning your network for any open ports on the copiers and printers can identify potential security gaps that hackers can slip in through.
Don't: Share private files without protected file-sharing software
Sometimes patients ask you to forward over their files, or their new office needs you to forward over files. Don't mail private files, fax them in an insecure way, or email them over an un-secured server. You risk these files being accessed by the wrong person.
For instance, your fax could be intercepted by someone else standing by the machine, which could potentially break HIPAA if that person reads a sensitive document.
For a more modern approach to faxing that will help you stay HIPAA-compliant, use email encryption software to send documents. This software will scramble the data in the file so that only the intended recipient can view it.
For instance, our comprehensive cyber security package includes a service called Mimecast which can help keep private documents secure when they're sent internally in the company or externally. Mimecast also helps prevent phishing attacks by regulating emails that come from unknown email addresses.
Do: Create a password policy
Creating and enforcing a password policy fosters a culture of employees that pay attention to the security of their accounts. Password policies also help educate employees who might not know much about how to create and maintain secure passwords.
A main focus of any password policy should be to limit how much employees write down their password, whether it be on a sticky note left on a nurse's station or in the Notes app on an employee's phone. Writing a password down anywhere leaves it susceptible to being found by hackers.
Since healthcare practices let non-employees into the building, this means that any visitor (such as patients) could easily walk by a nurse's station and grab important files or sticky notes containing account passwords.
For employees who write account passwords down on their personal phone, all it takes is their phone being stolen or their iCloud account being hacked for somebody to have the logins to programs such as the ones you chart with.
Password policies should include points like the importance of changing passwords every six months and creating passwords that don't use easy-to-find information such as birthdays and employee children's names.
Don't: Leave an employee in charge of backups
Leaving backups to be manually carried out by an employee comes with a host of potential issues. First, even the most perfect employee can be subject to human error. This could mean that a scheduled backup is forgotten about or completed incorrectly.
Additionally, leaving your backups on an external hard drive, either with a trusted employee who takes it home for safekeeping or at your facility, is risky.
Whether the external hard drive is left at your facility or at an employee's house, in either scenario, the building could be subject to a burglary, fire, or natural disaster, which means that you automatically lose all that data.
When data backups are done in-house, employees usually don't encrypt and fully secure the external hard drive, which means that a hacker who gets hold of it can easily hack it.
Without automated backups conducted by external professionals, your company is left vulnerable to loss of vital data, whether that stems from a burglary, natural disaster, employee error, or cyber attack.
To keep your data secure, consider letting a third party company handle your data backups. They can automatically back up your data as often as you want, for instance every 30 minutes, taking the pressure of scheduling backups off employees.
To ensure that your data is safe, these companies store it in multiple locations, ranging from an on-site server to a primary and secondary data center.
Data housed in an external data center is more secure than it would be in your building or with an employee because these centers come equipped with added features like 24/7 security, re-enforced structures, and state-of-the-art fire suppressant systems.
Increasing the amount of backups a day and housing your data in multiple secure locations means that, in the event of a cyber attack, a third party company can minimize the amount of network downtime in your company.
In the instance of a cyber attack, if your data backups aren't fully automated or secured, network downtime can last up to 3-5 days, costing you money every minute.
Here at Standard Office Systems, our average downtime is 1-2 hours because we ensure that our clients have a robust backup recovery system in place.
Don't: Let your practice's private information get sold on the dark web
Imagine what would happen if your patient's files were uploaded to the dark web. Hackers upload medical files for sale on the dark web because they sometimes contain lucrative private information like social security numbers.
Luckily, there is software that can scan the dark web to see what, if any, private company information is out there. For instance, the scan can find any employee email passwords that exist on the dark web.
As a good rule of thumb, practices should get dark web scans annually so that any information that's found can show which security flaws need to be addressed. We make sure to conduct dark web scans for our clients so they can see what information is out there and adjust their cyber security plan accordingly.
Do: Educate employees on cyber security best practices
Your employees are your weakest link when it comes to your practice's cyber security. You could have the best cyber security tools available on the market and your entire network could be brought down because one employee clicked on a phishing link or created a password that's easy to hack.
Training employees about good cyber security practices from the day they start work will help build a culture of maintaining a secure network. Sometimes, managed IT services providers have cyber security seminars for their clients' employees.
For instance, these outside IT companies can send out fake phishing tests to employees, and then pull any employees who fall for the phishing scheme into a seminar that will teach them about cyber security best practices.
Don't: Leave electronic Protected Health Information (ePHI) Unsecured
To keep PHI secure, see if you can put automatic logout settings on any programs like your charting systems. This prevents anybody from walking by a nurse's station or breaking into an office and easily accessing patient information.
Especially for hospital nurses who have night shifts, sleep deprivation could mean that they forget to close their account every time they step away from a work station. Setting automatic logouts can especially help in these scenarios.
Additionally, when possible, try not to email PHI between employees. Emails can be hacked, which leaves any emailed PHI vulnerable to being accessed by a hacker.
Instead, try to hand deliver requested files or say it over the phone. Less of a paper trail means less opportunities for hackers to access this information.
Do: Implement role-based security
Employees don't need access to every bit of private information that your practice has. Letting employees access all private information, from secure financial documents to patient files, risks an employee with bad intentions leaking the information.
Additionally, company-wide free information access means that hackers have more chances of finding an employee with access to a certain account.
Implement role-based security procedures within your practice to minimize the risk of important information being leaked or stolen. Assign different levels of security clearance to employees based on how important it is for them to have access to that information.
For instance, a blue level employee who is simply a nurse might just have access to charting systems, while a red level employee handling the company's financials might just have access to financial accounts and programs.
Role-based security prevents employees from accidentally seeing information that does not pertain to their specific duties, and also prevents employees with bad intentions from accessing information that they shouldn't be able to access.
Don't: Have just one layer of security in place
Having little to no cyber security measures in place, such as using just a firewall or an anti-malware software, leaves you extremely vulnerable in the event of a cyber attack.
Robust cyber security systems with multiple layers of protection, including software, hardware, and trained IT professionals to monitor and patch up your network, ensure that your network and the private information it holds stay safe.
By implementing multiple security measures, you reduce the chances of having to become reactive in the event of a cyber attack. This can save you money from potential data breach lawsuits, prevent HIPAA violations, and reduce downtime in the event of a cyber attack.
As a member of the healthcare industry, you understand the risks associated with your practice's private information getting out. Partner with a third party company who comprehends the unique risks associated with your industry so you're well-protected in the event of a cyber attack.
Posted by Erica Kastner
Erica Kastner is a lead Content Specialist at Standard Office Systems as well as a University of Georgia graduate. She aims to use her passion for problem-solving to help businesses understand how to better leverage their network infrastructure.