These steps are inexpensive and provide the first line of defense against hackers and data loss
Technology that connects providers, patients, hospitals, and health systems and allows them to share data is a boon to doctors trying to manage massive amounts of information. But if hackers get into your system, it can cost you thousands of dollars to repair the damage, pay the HIPAA fines, and rebuild your reputation in the community and with your patients.
As practice networks expand beyond computers to phones, credit card readers, and medical devices, new avenues open up for hackers to exploit.
Here are some best practices from the American Medical Association to safeguard your office network against cybersecurity threats.
Your internet is most likely on all the time. To prevent unwanted access, install a firewall between your internal network and the internet. The router you use may also have a firewall, and it’s important it is properly installed. Check with your network professional to make sure everything is turned on and configured properly.
Your router may be a Wi-Fi hotspot for the office. Because of the importance of the router in the network, it must be protected with a strong password, and the preinstalled password isn’t good enough. If someone figures out your password, they can control the device, and monitor and record data passing through the router. If your network has more than one component, make sure each one has updated software and a strong administrative password.
If your office computers use Microsoft Windows, they have a software firewall available. Make sure this is enabled. The firewall setting is typically located in the control panel setting.
Many routers can facilitate more than one Wi-Fi network, such as a private one for staff and a public one for patients. Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID), which is the name of the wireless network, and only provide patients with the Wi-Fi login credentials on request. Do not to use an identifiable name, such as “Dr. Smith’s Wi-Fi,” for either the public or private network, as it may draw unwanted attention to your network. In addition to masking the identity of the SSID, also create strong passwords for both the public and private Wi-Fi networks.
The public network can be accessed even outside the clinic’s walls; anyone who has the SSID and password can connect at any time. When setting up the SSID, be sure to encrypt the WiFi networks. This step is important because it helps protect office data from electronic eavesdroppers. Also consider setting an access schedule for the public Wi-Fi. Within the router’s menu, time frames can be set to allow or disable internet access for network devices. For instance, if the office is closed on Sundays, access can be disabled to keep people from using it.
One of the most widely used methods to access information remotely is through a Virtual Private Network (VPN). VPNs provide the ability to securely connect back to your office using a range of devices. Over a VPN connection, you can use a tablet, PC or smartphone to securely access your practice management system and the patient records and diagnostic images stored in your office’s EHR. Make sure you talk to your EHR/practice management vendor or consult with an expert on how to securely use your office’s network capabilities.
Many medical offices lease modern copy machines and multifunction printers. These devices contain hard drives similar to computers and automatically store a copy of every document that is printed or copied. Since these documents may contain protected health or other sensitive information, practices must ensure that the data stored on the devices’ hard drives is removed or destroyed before the machines are returned to the vendor.
Even with good system hygiene, there are instances in which patients’ data are compromised or lost, such as a system hardware failure or natural disaster. There has been a recent increase in attack activity using ransomware, which makes data unusable until a ransom is paid to the hackers. Having a current backup of the office data could potentially help to recover this information without having to pay the ransom fee. To prepare for the worst, develop and test backup and disaster recovery plans that anticipate how to recover any lost medical and practice records.
