By the EHRA Privacy & Security Workgroup

Whether you work for a large health system or small physician practice, you know that securing your patients’ data is important, and it’s a responsibility you take seriously. But chances are, you haven’t fully implemented as many cybersecurity best practices as you could.

In a recent threats report, McAfee Labs wrote, “In 2017 the health care sector experienced a 210% increase in publicly disclosed security incidents compared with 2016… [E]xperts concluded that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.”

The bad news is, you’re at risk not only from criminals and vandals who target vulnerabilities in healthcare organizations’ data security measures, but from carelessness and errors in judgement by well-meaning staff.

The good news is that many best practices in cyber-hygiene are straightforward and uncomplicated to implement. Check this list against your own organization’s cybersecurity practices, and make a plan to implement the missing pieces as soon as possible.

1. TRAIN YOUR TEAM

Train all team members who have access to protected health information. Every new hire should be formally trained on data security practices, and why each rule is so important. Regular refresher training should also be required.

2. ENABLE SECURE PASSWORDS

Make sure staff members understand and utilize good password protocol:

• DO use different passwords for different sites.
• DON’T use personal names, dates, or other personal information as passwords.
• DO choose longer, easy to remember passphrases.
• DON’T share passwords.
• DO sign out before walking away from a terminal, even if just for a minute.
• DON’T write down login and password information on sticky notes or other places where others could find them.

Click here for more best password practices.

3. IMPLEMENT OPERATING SYSTEM AND SOFTWARE UPDATES AS SOON AS THEY’RE AVAILABLE

Older versions may have vulnerabilities that malicious hackers will quickly take advantage of. Enable automatic updates, and/or when your computer notifies you that an update is available, make it a priority to install the same day to better protect your data.

4. ENCOURAGE BROWSER BEST PRACTICES

Keep up with browser updates, carefully monitor how staff are using browser plug-ins and extensions, and install popup blockers.

5. USE STRONG ENCRYPTION

Many security breaches happen due to a lost cell phone, tablet, laptop, or USB drive. Encrypt these devices and all other removable media, including backup tapes and drives, to keep data secure. Learn more here.

HIMSS created an infographic highlighting these and other best cybersecurity practices for healthcare organizations.

As we wrote in an earlier blog post, “Privacy and security are two separate yet integral parts of any cybersecurity framework; they have many overlaps and often, particularly in healthcare, we can’t talk about security without also talking about privacy.”

Reach out to your EHR vendor for assistance in your efforts to raise the bar on your organization’s security practices. Government resources include:

• The Office of the National Coordinator for Health IT offers information about how to perform health IT security assessments.
• The Department of Health and Human Services offers a variety of resources and cybersecurity guidance for healthcare organizations.
• The National Institute of Standards & Technology (NIST) has created a voluntary cybersecurity framework that consists of standards, guidelines, and best practices for organizations to manage cybersecurity-related risk. 
• The Department of Homeland Security provides resources and materials to support industry cybersecurity efforts.