Cybersecurity is the practice of defending servers, computers, mobile devices, networks, and data from malicious attacks. Cyber threats continue to evolve at a fast pace, with a rising number of data breaches each year. In fact, according to the Australian Cyber Security Centre’s Annual Cyber Threat Report from 2020, between the 1st of July 2019 and 30th of June 2020, the ACSC responded to approximately 164 cybercrime reports per day. That’s roughly one every 10 minutes.
Historically, medical Practices and public entities experience the most breaches. These sectors are more appealing to hackers because they regularly collect lots of personal information, financial records and medical data.
Following simple but effective cybersecurity best practices can ensure your data is safe from unauthorised access.
Different Types of Cybersecurity Threats
There are a wide range of methods that hackers can use to illegitimately gain access to your Practice’s information. Listed below are some of the more common methods which you may have heard of.
- Ransomware – Ransomware is a type of malicious software designed to hold files or data ‘hostage’. Once a Practice’s computer system has been compromised, patient files are inaccessible until a ransom is paid. Paying the ransom does not guarantee that the data will be recovered.
- Phishing – This is the practice of sending fraudulent emails that resemble emails from reputable sources. Phishing attacks often target individuals with emails that look like they’re from your bank or financial institution. The aim is to steal sensitive data like credit card numbers or account login information. It is the most common type of cyber-attack.
- Social Engineering – Social engineering is a tactic that hackers use to trick you into thinking you’re speaking to a representative from a legitimate organisation, and then getting you to reveal sensitive information. Social engineering is often combined with the methods listed above to make you more likely to click on a link or hand over sensitive data.
IT Security Tips for Practices
The first thing you can do is establish a security culture within your Practice.
The weakest link in any computer system is the user. Protecting patient data through good security practices should be second nature, similar to the Practice’s sanitary measures. Ensuring that your staff are familiar with your cybersecurity measures and how to identify a cyber threat makes your Practice more secure.
Keep Your Practice Software Updated
Taking your entire system offline to perform software updates is a daunting prospect.
However, neglecting to get the latest version of your software leaves devices significantly more vulnerable to attack. Furthermore, any security patches that come with an update will be unavailable to you. Hackers will take advantage of complacency and can remain undetected in an out-of-date system far easier than in systems with the latest software updates.
Maintain Secure Access to Patient Data
You may have seen media reports of victims whose private information was stolen by hackers. Failing to keep your patient data secure can be catastrophic. Hackers can use data from your patient records to commit identity theft and access patient bank accounts.
It is important to control access to patient records and only allow authorised personnel to have access to their details. Have a system in place to audit your system, and regularly verify who accessed which patient records, and when. It’s also important to promptly remove system access from staff who have resigned, or have been terminated.
Computer System Maintenance
Over time, operating systems tends to accumulate and catalogue old information and redundant data unless regular maintenance is performed. Just as your medical supplies must be monitored for expiration dates, material that is out of date on a computer system must be discarded or archived.
Some things you can do to ensure you’re following cybersecurity best practices with regards to computer maintenance are:
- Ensuring user accounts for former employees are disabled.
- Computers and other storage devices that have had data stored on them are sanitized before disposal.
- Old data files are archived for storage, or cleaned off the system if not needed, subject to data retention requirements.
- Software that is no longer required is removed from the computer, this includes trial software and any outdated versions of software.
Installation and Updating of Anti-Virus Software
A common way that hackers can access a computer system in a medical Practice is through viruses or malicious software (malware). In addition, computers can become infected by seemingly innocent sources such as email links, USB drives, and web browser downloads. It is important to use a product that provides continuously updated protection, and ensure your staff know how to recognise when your anti-virus has detected something suspicious.
Controlling Access to Patient Information
Familiarise yourself with role-based access permissions, where a staff member’s role within your Practice (e.g., doctor, practice manager, nurse) determines what information they have access to. Care must be taken to assign staff to the correct role within your Practice. Having well structured role-based permissions ensures that your staff can only access what they’re supposed to, which ultimately improves your Practice’s IT security.
Create Strong Passwords and Change Them Regularly
Passwords are often the first line of defense against unauthorised access to your Practice’s computer systems. Although strong passwords will not prevent attackers from trying to gain access to your network, it can slow them down and even discourage them altogether.
Using easy-to-guess passwords or sharing passwords between applications and logins significantly increases your Practice’s risk and vulnerability. Using the same password for multiple logins presents an incredibly high risk. If a hacker gains access to one account, they gain access to all of them. This can have a devastating flow on effect, not just for your Practice, but your staff’s personal lives as well.
Your staff should be aware that legitimate organisations will never ask for their password over email or messaging service. For maximum password security, employ the use of a reputable password storage system.
Strong passwords are ones that are not easily guessed. Hackers will use automated methods to try to guess a password, and so it is important to choose a password that does not have characteristics that could make it vulnerable.
Strong passwords should not include:
- Words found in the dictionary.
- Personal information such as birth date, your name, or pets’ names.
Some examples of strong password characteristics:
- At least eight characters in length.
- A combination of upper case and lower-case letters, one number, and at least one special character, such as a punctuation mark.
For many Practices, consistently reviewing and updating IT security measures can sometimes feel a little tedious. However, training your Practice in strong IT security habits is essential when it comes to protecting sensitive patient data.
While it may not be practical to enact all of the above cybersecurity best practices all at once, each of them can be implemented incrementally, and each of them will secure your Practice’s systems as you institute them.
Analyst & Developer at Best Practice Software