Cyber-security is a very important aspect for all healthcare professionals and medical practices to have in mind.
It is important that doctors are not lulled into a false sense of security, because attacks are often indiscriminate.
Using words like ‘attack’ and ‘hack’ breeds the misunderstanding that these data breaches are targeted.
In reality, they are hit-and-hope operations – and your business is just another IP address.
The experts say that your size or your business is irrelevant.
Even if you are a small practice, for example, you will have on your system personal information related to your patient base.
That information on its own has a degree of value, but it can then be aggregated with lots of other sorts of information and used for fraudulent activity.
Personal information has a value, a currency value, on the dark net.
If the attacks sound Matrix-level mind-spinning, then the advice to protect against them can seem quite basic.
Anti-malware, passwords, phishing… surely we know all this by now?
To help, IT experts have outlined 12 cyber-security steps that you should follow to protect your medical practice.
1. You must take responsibility
Information, as a resource, is your responsibility.
You need to have a greater understanding of what you’ve got and why you’ve got it, and a greater understanding of the risks concerning the way you use, share and exploit that information.
It is not your system supplier’s responsibility; it is down to you because it is your information.
2. Talk to your system supplier
Your system supplier will already be doing a lot of the work for you in the background, so you should understand as far as possible what that is.
If you have any concerns, you should talk to your system suppliers about what protection is in place or what protection you might like instead.
3. Check your operating system…
Suppliers can’t overstate the importance of using the latest operating systems and running regular security updates.
Microsoft only provides security updates for operating systems which they consider to be supported.
Using an older, out-of-date and unsupported operating system such as Windows XP exposes the user, and their data, to attacks.
4. …and your anti-malware software
Doctors should always assume that a data compromise is possible and ensure that they have a strong defense in place against cyberattacks.
This includes ensuring all operating systems, anti-malware software, web-filtering and antivirus software on all servers and end-point devices are updated with the most recent patches.
Since there are new attacks and new threats coming out all the time, it is not good to just update your anti-malware once a month.
5. Back up
You really can’t back up enough, according to the experts, and you must do it regularly with at least one back-up carried out offline.
You need to make sure you are resilient to attack. If something does go wrong, you don’t want to be held hostage.
You want to be able to just shut your system down and rebuild it and reinstall the data from a safe back-up.
The experts also suggest that you may want to familiarise yourself with the process for PMR and electronic prescription service back-ups.
If your system crashes you will need to revert to back-up – and how old will that be?
If your system is being backed up every few days, for instance, it may be that you’ve lost some work or you need to update the system again with anything done in the past few days.
That is why it is useful to have something in the first place that backs up frequently.
6. Restrict permissions
Access to data should be limited, based on the roles of individuals, so that only those with a genuine clinical need can access certain confidential patient data.
Doctors should ensure that credentials for system access are in the right hands.
So, if you can, use access controls to segregate off the more sensitive of your information.
Put more security around those, so that even in the event of a breach you’ve still got some effective security in place.
It could be as simple as having an additional folder that is properly password-protected with a good quality password to protect it in the event of someone getting access to a computer.
7. Use robust passwords
Remembering passwords is the bane of modern life but the constant requests for new, more complicated – and therefore less memorable – access codes are for good reason.
Password management is critical; passwords should be complex enough so they are not easily breached by hackers.
In this regard, system policies should be in place to enforce password rules.
This should include a two-step authentication process. Staff should be advised to never share passwords or hardware tokens.
8. Be wary of mobile devices
Because flash drives or other devices can be infected with malware, the experts suggest that employees should not bring them into the practice.
They should also not be used for normal business practice, but if you must, “as a last resort”, you should scan them for viruses.
The experts also stress that sensitive information on mobile electronic devices, including USB flash drives and laptops, should be routinely encrypted.
This prevents accidental exposures such as dropping an unencrypted flash drive in the street or losing a laptop with unencrypted patient data on it.
9. Ban personal use of your medical practice computers
It may be unpopular but staff should not use practice’s systems for personal e-mails or personal cloud-based applications.
10. Learn to recognise phishing
Many users still fail to recognise phishing emails.
According to the experts, if you get an email that has got an internet link in it, you need to be very conscious of whether that link could be a risk.
11. Prepare for the worst
Know who your system supplier is, who the main contact is and what their phone and email details are so you can chase them up to get the issue solved.
12. Train your team
Security is first and foremost a people problem.
Almost all malware starts and ends with the user.
Malware attacks are only successful because a member of staff clicks on something.
Anyone who has access to your information and systems needs to have effective and appropriate awareness training so that they understand the threat, they understand how to recognise potential attacks, and they understand what to do in the event of something going wrong.
This should include much of the above (e.g. good password practice, mobile device rules, personal use restrictions, recognising phishing and what to do in an emergency), which you should make into a formal policy in your medical practice.
