Computers, mobiles and other electronic devices penetrated our lives and changed them in the way that nobody expected. The healthcare field is not an exception. Many people know that cybersecurity is important, but few are aware of the effective utilization of these gadgets. Raising people’s awareness is a difficult task. Provision of cybersecurity, such as protection of internal data is becoming more important. In this article, we offer ten tips to help enhance cybersecurity in healthcare. Hopefully, these 10 tips will help handle the devices in a more effective manner.
Tip 1: Pay Attention to Protection
The first and foremost aim of cybersecurity is to protect your gadgets. Laptops, tablets, smartphones and other portable devices are widely used in medicine for many purposes, such as making healthcare records. At the same time, data becomes insecure because it’s easy to lose or steal these devices.
In addition, portable gadgets are exposed to electromagnetic interference to a greater extent if compared to stationary devices. As a result, the information stored in these devices can be damaged. Besides, portable devices can be used outside a clinic and anyone can steal confidential information about clients. Therefore, users should take actions to prevent unauthorized intervention. The following typical weak points in healthcare cybersecurity should be addressed:
- Strengthen access control and authentication. According to assignment writers Australia, some devices used in health care aren’t equipped with necessary access controls or strong authentication. Therefore, all devices used in clinics should be checked for these characteristics and secured from unauthorized use. For example, laptops should be protected by passwords. It’s not a problem to protect all handled devices with passwords. If protection with the help of passwords isn’t available, physical control of devices can be employed.
- Protection of wireless transmission of data. Special attention should be paid to wireless transmission of data. The loss of data often occurs during data transmission. Therefore, transmission of electronic health data should be performed without encryption as recommended by cybersecurity experts.
- Develop health care cybersecurity guidance and mitigation strategies. Data transmission performed with the help of mobile devices is risky. It would be better not to use this method to transport data despite its convenience. Also, each healthcare facility should develop its own guidelines regarding healthcare cybersecurity and related mitigation strategies based on national guidance. Additionally, data should be encrypted – the cost of encryption is less than the cost of mitigating a breach of data. Hard drive with important healthcare information on the clinic’s laptop should be encrypted if the device is replaced out of a secure area. As many employees tend to work from home these days, an appropriate health care cybersecurity policy should be developed to protect patients’ personal data. Workers should understand that they are responsible for data security even if they work at home.
Tip 2: Use Appropriate Anti-Virus Software
Small healthcare offices and clinics often become victims of hackers through viruses. Even computers equipped with the latest cybersecurity updates may be at risk of a hacker attack because of undetected flaws. Also, outside sources like flash drives, email, CDs or web downloads can pose a threat of infection with various viruses. Therefore, using products that provide updated protection is important. Different types of anti-virus software like ESET NOD32 Antivirus or Kaspersky are widely available on the internet. This anti-virus software is reliable and affordable.
Many healthcare facilities started to use electronic healthcare records (EHR) for more accurate data recording. Hence, the importance of updating anti-virus software is increasing. Besides, new viruses and malware are created continuously and vendors should make regular updates of anti-virus software on all devices. It’s easy to do because anti-virus software generates reminders related to the updates automatically. Making these updates is important because data may be destroyed, defaced or simply stolen by attackers without using anti-virus software. But how to recognize whether a computer is infected?
Here we listed the symptoms of virus infection:
- Internet browser sends you to unwanted pages
- User can’t control the mouse or the pointer
- Unwanted advertising content pops up
- System continuously crashes for no reason
- Anti-virus software doesn’t work
- System can’t start normal work (blue screen)
So, if you noticed some of these errors in the work of your gadgets, it may indicate the presence of the virus. These malfunctions should be removed immediately as they can totally destroy data.
Tip 3: Maintain Good Habits
Medical practitioners know that maintaining good habits is a great way to improve health. Similar principles are employed in cybersecurity. Developing good habits in using EHR is essential to ensure proper functioning of software and devices. These actions should target the following areas:
- Configuration management
- Software maintenance
- Operating system (OS) maintenance
Modern electronic devices are equipped with multiple options, but little guidance is enclosed regarding their security configuration. It’s sometimes difficult to identify which options to activate and which to turn off. However, there are several rules to follow:
- Uninstall software applications that don’t relate to running the practice, such as games, instant messaging chats, tools for sharing photos, etc. Sometimes the purpose of software is unclear. In this case, you should visit the website of the company that developed this software to learn more about this application. Also, it’s important to get to know if this software is critical to EHR.
- Don’t accept installation of default configurations. Each step should be well-thought and justified. You should understand your choices and apply for technical assistance if necessary.
- It’s essential to get to know whether the EHR vendor supports open connection to provide updates and support for software. If it’s so, ensure a secure connection and disable this access when it’s not used.
- Disable remote file sharing and printing to avoid accidental sharing or printing because this can lead to giving unauthorized access.
Software should be periodically updated to keep it secure. As a rule, vendors send updates in the form of automated or customer-requested downloads. Software should be kept updated on a continuous basis because these updates address newly found vulnerabilities of this software. For small clinics, it’s better to automate these updates, while in larger hospitals making updates is a daily task because multiple vendors send updates frequently. However, urgent updates may be required in the case of hacker attacks.
Operation systems tend to accumulate unnecessary or outdated information. This issue should be addressed and regular monitoring should be scheduled just like monitoring of medical supplies. You will need to monitor the following:
- Accounts of former employees should be disabled on time. If a worker was involuntary terminated, you need to disable access to their
- It’s necessary to “sanitize” computers and other devices for confidential data before disposal. Deleting data on a hard drive is not enough as it can be recovered with widely available tools. In order to avoid the breach of unintended data, you should follow national guidelines for data disposal. Old data can be archived or cleaned off depending on its applicability. Trial or old versions of software you don’t need should be fully uninstalled.
- It’s important to install anti-virus programs on each computer in the office to protect them from downloading unapproved software. Anti-virus programs will make configuration and vulnerability scans or conduct security audits on a regular basis. These activities should be performed in cooperation with IT department.
Tip 4: Security Culture
Developing security culture is one of the most effective approaches to ensure cybersecurity in health care. However, increasing people’s awareness of vulnerabilities of software posing threats to information security isn’t easy. Security measures are not effective unless employees working in healthcare facilities refuse to implement them, enforce appropriate policies and training. It means that each healthcare practice should support an organizational culture that supports the implementation of security measures.
The most widespread mistake is that users are thinking data breach can never happen in their own practices. Senior managers should develop appropriate policies having this in mind to address this issue effectively. Normally, all you need is to follow a set of recommended practices and check updates on time. It doesn’t take much time or effort, just discipline. Therefore, a responsible and disciplined employee should be responsible for these activities. In this way, healthcare facilities can avoid a great number of issues related to cybersecurity. You will need to use checklists and controls. Proper security practices should become habits and perform automatically in any organization that targets the development of security-minded culture.
Here are some steps to follow on the way of developing appropriate security culture:
- Frequent and continuous training process related to security issues.
- Mentorship from those who manage the work of all employees showing how all people should behave when it comes to cybersecurity.
- The core value of the healthcare facility should be accountability for information security. Ideally, impeccable information security practices protecting patients’ personal information must be a second nature of any healthcare facility.
Tip 5: Access Control
Setting passwords is an easy and effective way to control access, but it makes only 50% of success in protecting EHR records from the breach. User’s identity is the second part of protecting patients’ data. Often, the user’s identity is used to control access to data. Access control options can be inbuilt in your operating system (Windows) or an application (e-prescribing module). Using these options you can give access to health information to those people who need to know it. In small clinics, these manipulations can be done manually by using an access control list. A person having authorized rights to the system (system administrator) can perform these actions. Before granting access to all employees, you need to identify the access rights for each person.
You may also need to assign the roles for those who have access to patients’ data. This may require additional configuration of the system according to the roles performed by nurses, billing specialists or physicians. These manipulations include the type of information to be accessed. It’s important to assign the correct roles to the staff and distribute the access permissions for these roles correctly taking into account the information each person needs to know to perform their duties effectively. This is a complex process because the tasks and responsibilities of employees often overlap. Therefore, setting up the systems in small healthcare facilities requires a lot of efforts and time.
Sometimes EHR records are accessed without permission. This can or can’t involve data breach depending on particular circumstances. In some cases, this incident should be reported to the national cybersecurity agency. The actions are described in the law. By checking access logs you can prevent these data breaches in the future. In general, good access controls help avoid these malpractices.
Tip 6: Control Physical Access
Providing security to information is important, but physical access to computers should be controlled as well. EHR system must be protected from unauthorized access. Sometimes devices having EHR information are lost or stolen. This results in unauthorized access and data breach. According to the report of the Office for Civil Rights, 50% of the cases of data loss result from losing devices (handhelds, hard drives, backup tapes, desktop computers, network servers) and portable storage media (CDs, DVDs, flash drives, etc.). Therefore, it’s important to lower the chances that devices or portable media may be lost or stolen.
One of the possible measures to do so is to secure devices in locked rooms, effectively manage keys and restrict the ability of personnel to remove devices from secure rooms. The server that contains confidential information should be also stored in a secure area and locked. When searching for an appropriate location for a server, you should take into account the following factors:
- physical protection
- environmental protection.
Physical protection focuses on prevention of unauthorized access to the server by individuals who are not intended to access this information. Only staff must have access to the server. Environmental protection aims at protecting the server from water, fire or another external impact. A server should be stored off the floor. It’s not a good idea to store it in a restroom, near the sources of water, in front of windows or in the areas where the temperature is regulated.
Tip 7: Create Strong Passwords
Passwords protect devices from unauthorized access. A password must require passwords to log in regardless of the type of OS. Strong passwords prevent devices from attacks and they can discourage attackers from trying to access these devices. Besides, strong passwords and effective controls of access help avoid casual misuse, including personal curiosity without any legitimate need to have access to this information. It’s not easy to guess a strong password. Sometimes hackers use automated methods to guess passwords. Therefore, passwords should not have any vulnerable characteristics.
Strong passwords have the following characteristics:
- A strong password has at least eight characters. The longer the word, the stronger is password.
- A strong password includes a combination of upper and lower case letters. Also, it must contain at least one number and a special character. A special character can be a punctuation mark.
- Passwords should be changed regularly. Normally, a password should be changed one time a month. It may seem uncomfortable for users, but it definitely reduced the risk of the password being stolen.
Your password is weak if:
- You use words from dictionaries as a password even if you alter them
- You include personal information, such as birth date, your name, names of family members or social security number. Overall, your password should not include any information widely available on social network sites.
Strong authentication includes using multiple methods. For example, except for passwords, you can use other authentication methods, such as iris scan, fingerprint, smartcards or key fob. In larger healthcare facilities, the use of multi-factor authentication is prescribed by national regulations.
Sometimes people forget passwords. It’s important to discourage employees from writing down the password and keeping them in unsecured areas. Password resetting may involve the following:
- Allow one or several team members to reset passwords
- Select software that allows resetting passwords automatically.
Tip 8: Restrict Network Access
Modern networking tools are easy to use, cheap and flexible. Instant messaging and file sharing programs are very popular among users. Wireless routers enable broadband function within offices. However, healthcare data is extremely sensitive and it can become available to outsiders through network access. Therefore, networking tools should be used with caution.
For a small clinic, it’s enough to invest in one internet line which cost is around $100. As small healthcare facilities rely on wireless tools, but they need to use them with precautions. If a wireless router isn’t secured, its signal can be captured by neighboring offices in the same building or a parking lot. As EHR is transmitted through wireless networks, the signal should be secured so only people who are granted access to this data can pick up it. You should set up wireless routers into the encrypted mode.
The access to the network of the devices brought by visitors should be limited because these devices can’t be vetted for security for a short time. Giving safe access to guests’ devices may take a lot of time and money. Therefore, the prohibition of casual access is the best choice in this case. The router should identify each legitimate device. Only, in this case, the access is permitted. Instant messengers and file sharing programs expose the devices connected to the network to threats like unauthorized access to the devices. These programs should not be installed without a special permission or approval. Devices having file sharing applications or instant messengers may also have exploitable bits. Therefore, uninstalling o turning these programs off may not be enough to deactivate them. Staff should be prohibited to install software without prior approval.
Tip 9: Use a Firewall
It’s difficult to disconnect the EHR system from the internet. Therefore, it must have a firewall protection to prevent external intrusions. Equipped with anti-virus to destroy malicious software and firewall to prevent intruders, you can provide full protection of internal data. A firewall can be software or a hardware device. The main job of a firewall is to inspect incoming messages and sort them according to certain criteria. Sometimes configuration of a firewall is a difficult task. Therefore, installation, monitoring, and maintenance of these software or hardware should be performed by professionals.
Often, firewalls are equipped with common settings that can be used in many situations. Firewalls are sometimes included in OS to provide protection from external impact at the stage of installation. Sometimes security vendors providing software also provide firewalls. Firewalls are normally supported by configuration guidance.
It’s better to use hardware firewalls for large healthcare practices. One of the alternatives is Local Area Network (LAN) that provides centralized management of settings. It can help increase the security of LAN because the firewall settings are the same for all users.
Tip 10: Be Prepared for Force-majeure Situations
Sometimes unexpected situations occur. Various force-majeure situations can hamper the normal work of a health care office: flood, hurricane or fire can destroy the whole office, not only EHR. However, you can protect your data from these events. You will need two things to do so:
- Create backups
- Create a recovery plan.
Small practices rarely create backups until the face a crash. This is a wrong approach and small healthcare facilities should consider the opportunity to create backups. The backups should be created n a regular basis to renew information when necessary. You can count on backups in the case of emergency if it’s reliable. Therefore, it’s important not only to capture necessary data but to restore it accurately. You should test backup media for being able to restore data in a proper manner.
You can use a CD, DVD, hard drives or magnetic tapes to hold backups. It should be stored safely to prevent from damage. One of the opportunities to store data is cloud computing. This is a viable option both for small and large healthcare practices because it doesn’t involve any large investments or significant technical expertise. You should select backup software carefully because it can be error-prone or data from clouds can be copied by the third parties. It’s preferable to use an automated backup method.
Such backup media as hard drives or magnetic tapes are reusable. However, these media tend to age with time or after multiple cycles of backup. You should test backup media for reliable store operations on a regular basis. Backup media should be protected with the same access controls as the rest of software and hardware.
We hope that our tips will help you store your EHR safely. Multiple cybersecurity measures include setting passwords, control over unauthorized access and the use of firewalls. The emphasis of cybersecurity measures should be made on developing a security-minded organizational culture.