It takes a lot to run a medical practice. You all of a sudden become CEO, HR, sales, customer service, manager, and – oh right – still a doctor.
With all of that going on, often IT security sits low on the priorities list, not to mention skill development.
Too often, you set up your security policy once when you start your practice and never think about it again, with the exception of updating your anti-virus software.
But, your role in security must change!
Healthcare organizations and small businesses are being targeted more than ever by hackers, as seen by the sharp increase in breaches over the past 3 years.
Such breaches often result in costly fines and can also mean professional embarrassment, legal action, and public scrutiny. Your longevity as a practice requires you to learn how to implement some simple security measures for even the busiest practices.
Some security solutions are easier than others, but everyone can start with a review of the organization’s policies and practices to make sure it’s compliant with HIPAA. There are a lot of great consulting firms that specialize in HIPAA compliance policy.
Many practices don’t have the benefit of a dedicated IT staff to implement best practices. But, you can still take very practical measures to protect your security and what it means to your business.
1. Claim your Devices: It’s best to separate home and work for your office PC, laptop, tablet, and smartphone where possible.
In fact, you should invest in two smartphones, one for business and the other for personal use. And, provide access to the respective phone numbers and email addresses to a very select few. No one of your personal contacts should have access to your secure business phone or devices.
Be sure that your devices are encrypted and secured with strong passwords (more on that later).
2. Cell Phone: Smartphones are as smart as they can be, but iOS is a bit safer than Android out of the box. iOS phones encrypt everything as soon as you lock your screen, but Androids must have that function enabled.
3. Limit Apps: When apps seek your permission to install, they will also ask permission to access your data, contacts, and so on. Either deny the permission or do without the app unless it is from a most trusted source.
4. Strong Passwords: If your phone or device system permits a password longer than six digits, make use of it. Strong passwords include upper and lower class letters and symbols like &, *, % and the like. In any case, set up your phone and devices to require password not your thumbprint or swipe.
Passwords should not resemble birthdays, anniversaries, holiday dates, addresses, zip codes, or anything vaguely familiar. Randomly assembled passwords are best, and you can use password generators to create them. Some security systems and password managers include such generators. Even randomly secured passwords are not that difficult to remember with a little effort.
5. Change Passwords: If you keep the passwords for your main smartphone and for your dedicated business devices, you can change the passwords frequently without effort. Absolute security keeps means you cannot share these passwords with staff or family.
6. Encrypt Messages: End-to-end encrypted messages is an absolute must if you are sending any PHI to patients, staff or vendors. Be sure that the vendors you choose sign Business Associate Agreements as well.
But this doesn’t mean that adding encryption means adding difficulty for your intended recipients to view your messages.
Technology has come a long way and vendors like Paubox can secure your email without requiring portals or extra steps for users. You can often also keep your current business email address and email client.
7. Safe Browsing: When you’re using the internet at work, be sure to stay safe and avoid SPAM websites and unknown downloads that can infect your computer or device with malware.
8. Avoid WiFi Hotspots: Except for convenience, open WiFi networks at coffee shops, public buildings, airports, and the like are literally open to anywhere wishing you ill. Your secure devices should not depend on such risky public convenience without using a Virtual Private Network (VPN).
These are just a few simple tips you can implement right now to start securing your practice, but don’t let that stop you from doing more.
You can also step up your cybersecurity knowledge by checking into readings such as these:
FCC: Cybersecurity Planning Guide
Information Security and Privacy Program (HHS) Cybersecurity for Executives: A Practical Guide
Personal Security–At Home, On the Street, While Traveling