We live in times where the looming threat of cyber attacks are causing healthcare organizations to re-think their cybersecurity policies. Medical practitioners may believe that if they are small and/or their cybersecurity “has always worked,” they will escape the attention of the cybercriminals, but you should instead be ramping-up your healthcare IT services immediately, instead of being complacent.
Every day there are new attacks aimed specifically at small to mid-size healthcare organizations (such as doctor’s and dentist’s offices) for the very reason that they are low-profile and less likely to have fully protected themselves. Cybercriminals have been highly successful at penetrating these smaller organizations, and carrying out their seedy activities while their unfortunate victims are unaware until it is too late.
The bottom line is – you need to do as much as possible to protect sensitive health information in EHRs. The consequences of a successful cyber attack could be very serious, including loss of patient trust, violations of the Health Insurance Portability and Accountability Act (HIPAA), or even loss of life or of the practice itself. Real-world examples both large and small abound.
Barely a day goes by that we don’t see reports on the latest cyber attacks, which call into question medical facilities’ healthcare IT services and security (especially) every time they happen.
What should be a source of even further motivation for medical facilities to step-up their healthcare cybersecurity, is the fact that research shows that even well-meaning computer users can inadvertently cause a cyber breach.
But, why is disaster happening to so many well-intended medical staff?
Because they fail to follow basic cybersecurity principles. This might be due to lack of training, time pressures, or any of a range of reasons. Yet, following healthcare IT security best practices can sometimes be just as important and just as basic to patient safety as good hand-washing practice.
To fight against cyber attacks both internal and external, a core set of best practices was developed by our healthcare IT services experts to address the unique needs of healthcare practices. Our medical practice cybersecurity best technology practices were developed in part from official recommendations (like HealthIT.gov).
Cybersecurity is the protection of data and systems in networks that connect to the Internet – and many healthcare providers aren’t concerned enough about it.
Healthcare cybersecurity applies to any computer or other devices that can transmit electronic health records to another device over a network connection, whether it uses the Internet or some other network.
Here are some ways to keep your healthcare practice IT security maximized:
All health care providers, health plans, and health care clearinghouses that transmit health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA are “covered entities” and must comply with the HIPAA Privacy and Security Rules.
The HIPAA Rules, as many of you, may know, define “protected health information” (PHI) as all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or orally.
Generally, “individually identifiable health information” is information that relates to an individual’s health and that identifies an individual or for which there is a reasonable basis to believe can be used to identify an individual.
To minimize the risk to protected health information when effectively setting up EHR systems, we are reminded of the importance of passwords in healthcare IT security best practices. The password, however, is only one half of what makes up a computer user’s credentials. The other half is the user’s identity or username. In most computer systems, these credentials (username and password) are used as part of an access control system in which users are assigned certain rights to access the data within.
This access control system might be part of an operating system (e.g., Windows) or built into a particular application (e.g., an e-prescribing module), often both are true. In any case, an EHR implementation needs to be configured to grant access to PHI only to people with a need to know it. The need to know is narrowly defined, so EHR systems should be configured carefully to allow the limitation of access in all but the smallest practices.
Ease of use and flexibility make contemporary networking tools very appealing. Web 2.0
technologies like peer-to-peer file sharing and instant messaging are popular and widely used. Wireless routing is a quick and easy way to set up broadband capability within a home or office.
However, because of the sensitivity of healthcare information and the fact that it is
protected by law; tools that might allow outsiders to gain access to a healthcare practice’s network must be used with extreme caution.
Wireless routers that allow a single incoming cable or DSL line to be used by multiple
computers are readily available for less than $100. For the small healthcare practice that intends to rely on wireless networking, special precautions must be taken. Unless the wireless router is secured, its signal can be picked up from some distance away, including, for example, the building’s parking lot, other offices in the same building, or even nearby homes
As you may know, since PHI data flowing over the wireless network must be protected by law, it is crucial to secure the wireless signal so that only those who are permitted to access the information can pick up the signal. When a wireless router is used, it must be set up to operate only in encrypted mode.
Devices brought into your medical practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security on short notice. Setting up a network to safely permit guest access is expensive and time-consuming, so the best defense is to prohibit casual access.
In configuring a wireless network, each legitimate device must be identified to the router and only those devices permitted access. Peer-to-peer applications, such as file sharing and instant messaging can expose the connected devices to security threats and vulnerabilities, including permitting unauthorized access to the devices on which they are installed.
Good healthcare IT services, highlighting cybersecurity policies will also prohibit staff from installing software without prior approval.
We’re ready and standing by to upgrade your healthcare IT services…are you?
Helping companies nationwide establish better healthcare cybersecurity best practices is just one of the big ways we help today’s medical practitioners secure patient data and stay in business.
For further guidance and qualified consultancy within healthcare IT services that keep you in compliance and total data protection, visit GDS and contact us at (888) 849-6818 or info@GDSConnect.com for more information.