How to Keep Your Practice ‘Cyber-Secure’

A recent AMA survey shows that more than four-fifths of physicians have experienced some sort of cyber attack in their practice. Many attacks could have been avoided with internal controls and staff training, according to the AMA.

The research found that 64 percent of affected practices experienced up to four hours of downtime as a result. A third lost up to a day and a half more than that.

The survey of 1,300 physicians by Accenture and AMA found that more than half of the attacked practices, 55 percent, were victims of phishing — most likely, someone on staff clicked on a malicious link in an email. In addition:

  • Almost half (49 percent) experienced computers infected with viruses or malware. This typically results from someone downloading an infected file.
  • For more than a third of the affected practices (37 percent), an employee or other insider inappropriately accessed or attempted to access protected health information (PHI).
  • One-fifth had a breach of electronic PHI.

Here are some tips the AMA offers to keep your practice cyber secure:

  1. Teach your staff how to recognize and react to phishing emails.
  2. Do not allow employees to install software on their networked computers without permission.
  3. Have formal, written staff policies regarding general computer usage and PHI in particular, train your staff, and hold them accountable for their actions.
  4. Encrypt and password-protect all computers, cell phones, tablets and laptops.
  5. Give each employee a separate user account on your computer network.
  6. Require employees to use passphrases for their computer accounts and to change them periodically. A passphrase is a string of text longer than the usual password. Using words or phrases that have a particular association to the user makes them easy to remember, like “5thhouseElmStleft.” Consider using two-factor identificationas well.
  7. Always know what computers, cellphones, tablets and laptops you have, and where they are. Lock up laptops not in use.
  8. Limit who has log-in rights to each device.
  9. Give administrative privileges only to key personnel.
  10. Equip each of your computers with antivirus software and antispyware; configure the software to install updates automatically.
  11. Regularly patch and update your software and your computer and server operating systems to prevent them from being vulnerable to new malicious software.
  12. Safeguard your internet connection by using a firewall and encrypting information.
  13. Enable security features on all devices and accounts, such as two-factor identification and tracking features.
  14. Hide your Wi-Fi network by setting up your wireless access point or router so it doesn’t broadcast the network name.
  15. If you want patients to have access to Wi-Fi, provide a guest Wi-Fi network separate from your practice network. Use different passwords for each.
  16. Back up data consistently, and keep multiple copies. Test recovery regularly to make sure backups are working.
 
 

Share this Post