Don’t Let Your Lack of Healthcare IT Security Put Your Network and Organization in Jeopardy

We’ve all seen the news reports of cyber attacks against organizations of all sizes – along with, unfortunately, many healthcare organizations. Medical practitioners may believe that if they are small and/or their cybersecurity “has always worked,” they will escape the attention of the cybercriminals, but you should instead be ramping-up your healthcare IT security in Colorado immediately, instead of being complacent.

Every day there are new attacks aimed specifically at small to mid-size healthcare organizations (such as doctor’s and dentist’s offices) for the very reason that they are low-profile and less likely to have fully protected themselves. Cybercriminals have been highly successful at penetrating these smaller organizations, and carrying out their seedy activities while their unfortunate victims are unaware until it is too late.

The bottom line is – you need to do as much as possible to protect sensitive health information in EHRs. The consequences of a successful cyber attack could be very serious, including loss of patient trust, violations of the Health Insurance Portability and Accountability Act (HIPAA), or even loss of life or of the practice itself. Real-world examples both large and small abound.

Barely a day goes by that we don’t see reports on the latest cyber attacks, which call into question medical facilities’ healthcare IT security every time they happen.

What should be a source for even further motivation for medical facilities to step-up their healthcare cybersecurity, is the fact that research shows that even well-meaning computer users can inadvertently cause a cyber breach.

But, why is disaster happening to so many well-intended medical staff?

Because they fail to follow basic cybersecurity principles. This might be due to lack of training, time pressures, or any of a range of reasons. Yet, following healthcare IT security best practices can sometimes be just as important and just as basic to patient safety as good hand-washing practice.

To fight against cyber attacks both internal and external, a core set of best practices was developed by our healthcare IT security experts to address the unique needs of healthcare practices. Our medical practice cybersecurity best technology practices were developed in part from official recommendations (like HealthIT.gov).

What Can You Do to Optimize Your Healthcare Cybersecurity?

Cybersecurity is the protection of data and systems in networks that connect to the Internet – and many healthcare providers aren’t concerned enough about it.

Healthcare cybersecurity applies to any computer or other devices that can transmit electronic health records to another device over a network connection, whether it uses the Internet or some other network.

Here are some ways to keep your healthcare practice IT security maximized:

Control Access to Protected Health Information

All health care providers, health plans, and health care clearinghouses that transmit health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA are “covered entities” and must comply with the HIPAA Privacy and Security Rules.

The HIPAA Rules, as many of you may know, define “protected health information” (PHI) as all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or orally.

Generally, “individually identifiable health information” is information that relates to an individual’s health and that identifies an individual or for which there is a reasonable basis to believe can be used to identify an individual.

Helping you establish better healthcare IT security best practices in Colorado is one of the big ways CCS helps today’s medical practitioners secure patient data and stay in business.

To minimize the risk to protected health information when effectively setting up EHR systems, we are reminded of the importance of passwords in healthcare IT security best practices. The password, however, is only one half of what makes up a computer user’s credentials. The other half is the user’s identity or username. In most computer systems, these credentials (username and password) are used as part of an access control system in which users are assigned certain rights to access the data within.

This access control system might be part of an operating system (e.g., Windows) or built into a particular application (e.g., an e-prescribing module), often both are true. In any case, an EHR implementation needs to be configured to grant access to PHI only to people with a need to know it. The need to know is narrowly defined, so EHR systems should be configured carefully to allow limitation of access in all but the smallest practices.

Keep Your Medical Facility’s Network Access Limited

Ease of use and flexibility make contemporary networking tools very appealing. Web 2.0

technologies like peer-to-peer file sharing and instant messaging are popular and widely used. Wireless routing is a quick and easy way to set up broadband capability within a home or office.

However, because of the sensitivity of healthcare information and the fact that it is

protected by law; tools that might allow outsiders to gain access to a healthcare practice’s network must be used with extreme caution.

Wireless routers that allow a single incoming cable or DSL line to be used by multiple

computers are readily available for less than $100. For the small healthcare practice that intends to rely on wireless networking, special precautions must be taken. Unless the wireless router is secured, its signal can be picked up from some distance away, including, for example, the building’s parking lot, other offices in the same building, or even nearby homes.

Since PHI data flowing over the wireless network must be protected by law, it is crucial to secure the wireless signal so that only those who are permitted to access the information can pick up the signal. When a wireless router is used, it must be set up to operate only in encrypted mode.

Devices brought into the practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security on short notice. Setting up a network to safely permit guest access is expensive and time-consuming, so the best defense is to prohibit casual access.

In configuring a wireless network, each legitimate device must be identified to the router and only those devices permitted access. Peer-to-peer applications, such as file sharing and instant messaging can expose the connected devices to security threats and vulnerabilities, including permitting unauthorized access to the devices on which they are installed.

Good healthcare IT security policy will also prohibit staff from installing software without prior approval.

For more healthcare IT security tips, please visit our website and download our free e-book, “Stay Off the Wall of Shame – Essential IT Security Tips for Your Medical Practice and Business Associates”.

CCS Healthcare IT Security in Colorado is the Cure for Your Worries

We help you establish better healthcare cybersecurity policies and practices – which is one of the big ways we help today’s medical practitioners keep patient data secure and stay in business.

For further guidance and qualified consultancy on establishing better healthcare IT security policies and best practices in Colorado, visit CCS and contact us at (719) 439-0599 or by secure contact form for more information and to get started right away.