A Data Breach is a Nightmare Scenario for Any Healthcare Practice
Maintaining HIPAA compliance is more than a big deal, if you don’t take the proper steps to prevent a breach of patient data, your practice could suffer costly long-term consequences and tremendous damage to your reputation.
How bad could it be?
A recent study by the Ponemon Institute revealed some alarming statistics:
- Almost 90% of healthcare organizations are estimated to have experienced a data breach in the last two years.
- The average cost of a HIPAA data breach is $380 per record.
- Criminal attacks are the leading cause of data breaches in healthcare.
Get your reputation back on track with our HIPAA compliant system built just for healthcare organizations like yours.
Theft of sensitive patient information can lead to a damaged reputation, fewer physician referrals and, of course, lost patients.
Data breach or not, if you’re having trouble keeping patients you might want to check out our 8 Most Effective Patient Retention Strategies.
What Steps Can You Take to Protect Your Patient Data Against an Attack?
No system is truly hack proof, but there is a lot that can be done to protect your information. Here are some simple things you can do to guard against an attack.
1. Don’t wait to update your software
It can be an annoyance to install an update and reboot, but sticking with an outdated version means compromising your security. The latest version of a software often includes patches to areas in which vulnerabilities have been revealed. That is one of the reasons that versions are constantly being updated.
2. Use software that prioritizes cybersecurity
If you’re counting on your software to protect itself, you need to make sure you’re choosing software that holds cybersecurity as a top priority. Invest in systems that include:
- Next-generation firewalls
- Advanced malware detection
- Email and web gateways
- Multi-factor authentication
3. Set up password-protected, time-based screen locks
It’s easy to run to the restroom or take your lunch break leaving your computer open for when you return. Setting up screen locks that automatically kick in after a set amount of time if a mouse or the keyboard is idle will protect your computer. A glancing passerby will not be able to see any sensitive information.
On a Mac, you can set up hot corners to easily turn on your lock screen by moving the mouse to a corner of your choice.
4. Put password procedures in place
If a criminal is able to guess or access just one password that gives them access to your data, it’s game over. Putting password procedures in place will go a long way toward protecting your information. Enforce some requirements for everyone with access to sensitive data.
- Don’t use the same password for more than one account
- Change your password every few weeks
- Include numbers, letters, upper and lower case, and symbols
- Have a minimum password length of 8 characters or more
5. Store and share passwords carefully
Ideally, you’d want to remember your passwords without the need for storage, but that’s not always realistic. At the very least you can be smart about your password storage. Use a secure password management system such as LastPass or Zoho Vault for your team’s password storage.
Most password management systems have a system for secure password sharing. Never share a username and password over email. If you need to share, send each piece of information on a different platform. For example, you may send a username over email, and then give the password over the phone. You can add an individual to your password management system. It should allow you to decide which passwords that each person can see. Then you can just share the ones they need.
6. Do’s and don’ts of password protection:
- Don’t allow your browser to store your password
- Do use 2-factor authentication whenever available
- Do set up security questions and keep personal information up to date
7. Control and monitor internal access to sensitive information
You should always know who on your team has access to what systems. Have a procedure in place in case someone needs to access information from a system they do not have a username and password for. This will help you keep up with who has access to what software, and help prevent sharing of passwords as a “one-time use.”
Controlling access to sensitive information internally means only the people who really need access will have it. Keep an eye on changing roles or daily tasks so you can revoke access to systems that are no longer required by your staff.
8. Continually educate your staff and set expectations
Any security system is only as strong as its weakest link. Human factors play a part in the majority of cyber attacks. Keep your staff informed on the value of sensitive information. Security should always be a top priority. Keeping everyone updated on password procedures and policies will ensure that everyone is on the same page with what is expected.
9. Don’t count on a single system to protect you
No system is 100% hack proof, but layering your defenses will give you a significant boost in protection. Having a backup method of defense in case your front line is infiltrated is highly recommended.
10. Use a backup hard drive and test regularly
Purchasing a backup or mirrored hard drive as an added security measure will help ensure that data that gets lost, damaged, or stolen can be recovered. This may add about 10-20% to the overall cost of your EHR system, but the added protection is well worth it. Storing a back-up off premises will add security to your system.
Testing your hard drive on a regular basis will ensure that you can restore data if the need ever arises. When attempting a test restore data, choose a time when the practice will not be affected by any downtime and always restore to a server that is not live or you’ll risk corrupting your data.
11. Hire a forensic consultant
A forensic consultant will give you insight into your practice’s vulnerabilities, liabilities, and help you to create an individualized security plan to protect your practice. If you’re on a tight budget, remember this will help you avoid the spending the cash you’ll end up forking out in the case of a data breach.
12. Know the signs of a breach
If you don’t know what to look for, you could have a breach without realizing it. If you see any of these signs, you could be under attack:
- You’re locked out of your user account
- Strange outbound emails are originating from your address
- A black computer screen
- Unusual browsing or account history
Taking Action Now Can Prevent a Breach of Patient Data
In healthcare especially, a sizable data breach can bring a business to its knees. The time, effort, and money you spend now are invaluable in your efforts to protect your sensitive patient information. Create your data protection strategy and take action today to prevent reputational damage down the road.
Could your healthcare reputation use a little TLC?