The word cybersecurity is everywhere these days. There are blogs and articles and webinars devoted to the topic. Most of them saying how providers need to spend more and how their data is at a constant threat of being breached. What does this all really mean? Other than you spending money – and probably a lot of it – to protect yourself from some invisible threat. Although everyone understands the reality of all this, there is little detail in how to properly protect your practice. First, forget about the spending part first. Understand that it’s not what is the likelihood of your data being breached or your network being infiltrated, it’s about what it will cost you if that ever happens.
What could it cost you in realized and unrealized costs? Your network is unprotected and you get a virus that shuts down your entire network – now you can’t use any of your computers and you can’t’ run your practice because if not 100% more than 75% of your work flow depends on the use of a computer. Think about it… if you have no power in your office what are you able to do? Not very much right? Same would be true if your network went down. So if you can’t run your practice for a day, what does that cost you? If you can’t see patients, how much money have you lost? You still have to pay bills though right? So you are spending money while you are making $0.
What happens if you are careless with logins and passwords and a disgruntled employee deletes or changes records? What impact could that have on your practice? On you personally? What would happen if someone was able to access your network, your software solutions and steal the patient data, commit identity theft? If it happened to multiple people, how would your patients feel? How would you? Identity theft can lead to problems for the victim and straightening out the matter could take months. Even if it happened to just one patient, it could be devastating to them.
If you took every possible precaution, you can speak to the patient(s) with the confidence that you did truly do your best but unfortunately criminals outsmarted you. But if you don’t have all the proper safety measures in place, it will be hard to repair the damage to your reputation. Doesn’t sound possible? Have you ever had a patient who had a procedure and was in the 1% that had an adverse reaction? If you said yes, then remember that when it comes to cybersecurity. It’s a possibility that even if it’s just a 1% chance of happening, when it happens it could be catastrophic. The ripple effect could leave you crippled or worse would shut you down.
So do you have someone or a company maintaining your hardware? It may seem like an unnecessary expense but instead make the most of this investment. Have them present a plan of how they will maintain and protect your network and hardware. Use the check list below to help you establish some simple, basic guidelines that will help you protect your practice. If you are already following any or all of the below, then congratulations! But think about what more you may be able to do.
#1 Use strong passwords and change them regularly
#2 Install and Maintain Anti-Virus Software
#3 Use a Firewall
#4 Control Access to Protected Health Information Grant access to PHI – personal health information – to staff members that need to have access to it. If there are certain areas of the EHR that certain staff members never need to have access to, just restrict it. You have a new employee, perhaps limit their access and add on as needed and as you see fit. This is not just a safeguard but also sets the tone of how seriously you take confidentiality and protection of information.
#5 Limit Network Access Make it company policy prohibiting everyone from installing software without prior approval.
#6 Maintain Good Computer Habits Just as you know the importance of healthy habits to maintain good health and reduce the risk of infection and disease; you must know the same for your practice.
#7 Establish a Security Culture Security professionals are unanimous: the weakest link in any computer system is the user. Everyone in the practice – providers included – should understand how they can help maintain security by not sharing passwords, not leaving themselves logged in while their device is unattended, not downloading software that is for personal use or of questionable source, and changing passwords on a regular basis.