Cybersecurity. It’s a common word in the workplace these days, especially in the healthcare sector. State and federal regulations governing the transmission of Protected Health Information (PHI) can be overwhelming. And if a bad actor gets access, the results can be costly. Healthcare professionals are constantly working with sensitive information, often transmitted over the internet, which makes them a prime target for cyber criminals. And hackers are getting more sophisticated, always finding new and creative ways to ruin your business.

So, what can you do? How can you prevent a hacker from gaining access to your files, stealing your data, and costing you [potentially] hundreds of thousands of dollars? We’ve compiled a list of tips to help you stay ahead of hackers and out of their control.

1. Create a Cybersecurity Culture

The user is the weakest link in any organization. Bad actors can gain access to your network through a variety of methods, including weak and compromised passwords, bugs and viruses disguised as benign software, transmitting PHI over an unsecured network, and a myriad of other ways. Employees must be educated on appropriate cybersecurity practices and training must be ongoing. Accountability and responsibility for cybersecurity should be a core value within the company.  Management should encourage best practices by setting a good example.

2. Maintain Healthy Computer Practices

Those annoying update notifications that keep popping up on your computer? Make certain you’re paying attention to them. Updates and patches help keep your organization protected against the latest cyber threats. Ensure all software, hardware, and applications are kept up-to-date and uninstall and/or replace any unnecessary or outdated software or applications. Before you destroy any devices, make sure they are thoroughly sanitized to verify all data has been removed.

3. Limit Network and Physical Access

By law, the transfer of electronic health information must be protected. Only grant access to authorized people who need the information. Section off the network so that critical systems can access sensitive information, but non-critical systems, such as employee cell phones, patient/family portable devices, and the break room PC, can only access the internet. Devices brought into the practice by visitors should not be permitted to access the network. Staff should not be allowed to install software on any devices without prior authorization.

Data and files aren’t the only things that need to be secured. Unauthorized access must also be prevented on the devices that make up the EHR system. The most common way that an Electronic Health Record (EHR) gets compromised is through the loss of equipment such as computers, phones, portable storage media (CDs, flash drives, DVDs), servers, or even hard drives pulled out of devices. Ensure that physical access to devices is restricted. Secure them in locked rooms, carefully keep track of physical keys, and limit the ability to remove them from the secure location.

4. Install and update Anti-Virus Software

Make sure you install anti-virus software and keep it up to date. Viruses, bugs, and other similar code exploit vulnerabilities on a device. Even devices with the most recent security updates are at risk due to previously undetected weaknesses. Additionally, external sources such as CDs, flash drives, emails, and downloads can infect devices. Data may be stolen, destroyed, or ransomed without adequate anti-virus protection. The bad actor could even take control of the device.

5. Use a Firewall

While anti-virus software protects from threats once they are inside the network, a firewall prevents bad actors from gaining access to the network. You should have a firewall in place to protect against intrusions and threats from outside sources unless you use an EHR system that is fully disconnected from the internet.

6. Create a Strong Password Policy

The first line of defense against unwanted access to any device is a strong password. It will not prevent attackers from trying to gain access, but it will slow them down and discourage them. A strong password should be at least 8 characters long, using a random combination of uppercase and lowercase letters, at least one number, and at least one special character.

A strong password does not include words or identifying information such as birthdates, names, or anything else that could be easily guessed by others (especially if you’ve ever shared that piece of information on social media: pets’ names, schools you’ve attended, etc.).

7. Safeguard Mobile Devices

Over the last couple of years, there has been a dramatic shift toward a remote workforce. While companies have started moving back to the office, many employees will continue to work remotely. Because of expanding remote workforce, protecting mobile devices is becoming increasingly vital. Mobile devices such as laptops and cell phones are especially vulnerable to theft, loss, and interception. These should be equipped with strong authentication protocols to control access. Furthermore, when transmitting PHI electronically, you should only use a secure, encrypted network.

8. Be Prepared for the Unexpected

Unexpected things happen. A tree falls on your office. A criminal breaks in and steals devices. At any time, a fire, flood, cyber-attack, or any number of other disasters could strike, preventing you from operating normally. To mitigate against these disasters, create and maintain backups of critical data and test them regularly. Then devise a clear recovery strategy so that you can rapidly retrieve your backups and restore functionality.

9. Perform Regular Risk Assessments

Do you know how your organization stacks up against industry standards and best practice? Conducting a regular, third-party assessment of your network is one of the simplest ways to keep ahead of cyber criminals. This assessment evaluates the assets that could be harmed by a cyber-attack (such as devices, hardware, software, and EHR) and as well as the risk associated with such assets. This assessment can inform you about what threats your business might face, where those threats may occur, and how those threats could be mitigated.

Don’t blow off HIPAA compliance. There is solid reasoning behind the legislation designed to keep cyber criminals at bay. Regular assessments are necessary to know where you stand, develop a plan of action to remediate gaps, and put the plan into action.

As the cyber landscape changes, developing and maintaining good cyber habits will become more and more important. In the last two years, we’ve seen data breaches in the news from major organizations like St. Joseph’s/Candler Health System, Good Samaritan Hospital, and Forefront Dermatology. If your organization handles EHR, cybersecurity isn’t optional. Make cybersecurity a priority in your organization to prevent sensitive data from falling into the wrong hands.