CYBER SECURITY | 7 MIN READ
The healthcare industry must follow strict protocol to remain compliant with HIPAA. Because many organizations within the industry store private information like patient files and financial information, the industry as a whole increasingly has a target on its back for cyber attacks. Staying HIPAA-compliant is a way that those in the healthcare industry can avoid both non-compliance penalties and cyber attacks. Read more to see how a managed services provider can help your healthcare organization stay HIPAA-compliant.
Not enough time? Jump to:
Installations and Monitoring
Hackers can access medical files through your copiers and printers. Since copiers and printers are an overlooked aspect of a business' cyber security plan, they're often left unsecured.
Personal copiers and printers typically used in managers' offices come with a host of security risks. For instance, personal printers can have a "print from anywhere" feature that lets you print documents even when you're away from the office.
However, this "print from anywhere" feature has little security because it has to create a hole in your firewall to allow you to communicate with the machine from anywhere in the world.
This hole in your firewall can let a hacker access the machine and anything scanned on it, documents and files on that employee's computer, and potentially even access the whole company's network.
While enabling a "remote support tools" feature lets your machine dealer remotely assist you in fixing issues, this two-way form of communication creates network security gaps. If you have this feature on your copiers and printers, either turn this feature off or try to opt in to one-way outbound machine support with your dealer.
To patch a potential security threat in your business, consider upgrading to newer copiers and printers because of their updated security features.
For instance, some newer models of brands like Canon and Sharp have data security kits with features that, when a document is scanned, copied, or printed, erase those documents from the hard drive up to 28 times.
Newer copiers can also have features like Transport Layer Security (TLS) that encrypt scanned files that the machine sends to your email, as well as newer versions of Server Message Block (SMB), which securely scans documents to a folder on your computer instead of your email.
A simple way that a managed IT services provider can keep your network safe from hackers who want your patients' information is by installing various layers of cyber security hardware and software.
MSP's go beyond just installing a firewall and anti-virus software. They can set up email filtering services that monitor for potential phishing schemes, set up secure file-sharing software to ensure that any PII that's sent online will make it to the right person and will be encrypted so nobody else can view it.
For instance, our comprehensive cyber security package includes a service called Mimecast which can help keep private documents secure when they're sent internally in the company or externally. Mimecast also helps prevent phishing attacks by regulating emails that come from unknown email addresses.
Remote Employee Security
Any remote employees, including any that travel for work or work from home sometimes, pose potential threats to your network's security. Employees in your office are connected to your office's WiFi, which you control and can make as secure as possible.
When remote employees are working at home or out in the field, the WiFi at their house, a coffee shop, or a client's office might not be as secure. Thankfully, a managed IT services provider can help your remote employees keep data safe when they're out of the office.
Installing VPN’s (Virtual Private Networks) for remote users can ensure that the work devices they use are secured. VPN's create a private network from a public Internet connection, allowing remote employees to handle confidential information outside of the office without risking data breaches.
Additionally, for any employees that use work phones outside of the office, password policies and cyber security awareness training can also help them avoid exposing confidential patient data through their work phones, which may have less built-in security measures than a desktop.
Dark Web Monitoring
The dark web can pose serious threats to your business. If a hacker gets a hold of your network, they can steal patient files and other sensitive information that can be sold on the dark web. If patient information is published to the dark web, you could potentially be in breach of HIPAA.
Thankfully, a managed IT services provider can use special tools to scan the dark web and find company information that's out there. While you cannot remove this information once it's been published to the dark web, it can expose weaknesses in your network to address in order to prevent future breaches.
RELATED: Dark Web [Complete Guide]
Cyber Security Awareness Training
Unfortunately, your employees are your weakest link when it comes to your practice's cyber security. The best cyber security tools on the market prevent outside attacks on your network, but what about an employee who has easy-to-guess passwords or doesn't know what a phishing email looks like?
One employee with a minimal understanding of good cyber security practices could bring down your entire network.
Training employees about good cyber security practices from the day they start work will help build a company culture of maintaining a secure network. Sometimes, managed IT services providers have cyber security seminars for their clients.
Additionally, your MSP can send out fake phishing tests to employees, and then pull any employees who fall for the phishing scheme into a seminar that will teach them about cyber security best practices.
Creating and enforcing a password policy keeps hackers from easily accessing accounts with sensitive information such as patient files. Password policies also help educate employees who might not know much about how to create and maintain secure passwords.
A main focus of any password policy should be to limit how much employees write down their password, whether it's in a notebook left on a nurse's station or in the Notes app on an employee's phone.Writing a password down anywhere leaves it susceptible to being found by hackers.
Since healthcare practices let non-employees into the building, this means that any visitor (such as a patient) could easily walk by a nurse's station and grab important files or notes containing account passwords.
Additionally, for accounts or programs with administrator permissions/passwords, aim to limit the number of employees and devices with access to administrator privileges. This increases the odds that a hacker will find a device on your network with administrator rights, which will let them take control of your network and any programs you use.
When creating passwords, instruct employees that they should aim to change passwords every few months. They should enable two-factor authentication when possible, and never put easy-to-find information such as children's' names in a password.
Employees don't need access to every bit of private information that your practice has. Letting employees access all private information risks an employee with bad intentions leaking the information or somebody accidentally viewing information that they aren't authorized to see.
Additionally, company-wide free information access means that hackers have more chances of finding an employee with access to a certain account.
Implement role-based security procedures within your practice to minimize the risk of important information being leaked or stolen. Assign different levels of security clearance to employees based on how important it is for them to have access to that information.
For instance, a blue level employee who is simply a nurse might just have access to charting systems, while a red level employee handling the company's financials might just have access to financial accounts and programs.
Role-based security prevents employees from accidentally seeing information that does not pertain to their specific duties, and also prevents employees with bad intentions from accessing information that they shouldn't be able to access.
You can also take role-based security a step further by limiting who has administrator permissions on your server. This prevents hackers from easily finding a device with permission to make server-wide changes.
HIPAA protects patient confidentiality and builds trust between healthcare organizations and their clients. As more and more data from healthcare organizations moves online, those who want to abide by HIPAA must strengthen their cyber security efforts to keep this data safe.
Partner with a managed IT services provider that understands the ins and outs of HIPAA and can build a cyber security plan that keeps you compliant.
Posted by Erica Kastner
Erica Kastner is a lead Content Specialist at Standard Office Systems as well as a University of Georgia graduate. She aims to use her passion for problem-solving to help businesses understand how to better leverage their cyber security infrastructure.