Healthcare providers have a legal obligation to keep patient data security, whether it’s at rest on a server or in transit to the cloud or a third party. To maintain regulatory compliance and the confidence of your patients, your practice needs to be vigilant in the technologies that it deploys to make sure that all personal and medical information is protected.
Unfortunately, hackers are using sophisticated means to steal this data, sell it or hold your medical practice hostage until you pay massive ransoms. The cost to your practice can be significant, both in dollars spent, patients who leave and reputation lost.
Your practice and patients need an IT solution that provides reliable services to protect data and monitor your IT systems. Otherwise, you leave the data far more vulnerable.
A managed service provider (MSP) that knows the complex issues facing medical businesses today is your best defense. Here’s a look at some of the most common IT issues facing practices and how you and your (MSP) can guard against them.
How Do I Manage All the Users Who Have Access to Patient Data?
Not all cyberattacks are perpetrated by outside parties. Employees — current and former — may have access to sensitive information, which is why processes and procedures need to be in place to manage access. Two common issues are:
Controlling Privileged Access. Your practice needs to routinely review which employees have administrative access or privileged accounts in your system. Assess access needs for employees who change roles within the practice and practice “need to know” procedures when determining who sees what.
Removing Accounts. Whenever an employee leaves a practice, especially if they are terminated, it’s important to remove their access immediately and inactivate their accounts. Many practices create generic accounts for vendors, contractors and consultants and forget to review and delete them. In addition to deletion in the moment, there should be a regular review of active accounts to make sure they are still necessary.
What Security Issues Are Due to Our Products?
Servers and software are major access points for disruption. There are a couple of common vulnerabilities that practices should look at:
Changing Default Credentials. Desktop computers, laptops, firewalls, wireless access points and routers come equipped with default usernames and passwords. These defaults are widely known. If you keep those credentials on the devices, you’re making it that much easier for hackers to gain access.
Changing Default Configurations. Just as with your devices, your operating system will come preconfigured with settings that should be changed immediately after installation.
What Do I Need To Do When Transmitting Data?
Many servers include services such as file transfer protocol (FTP), Telnet and terminal services. You should not transfer any information using these tools as they are easily “sniffed” by hackers using freely available methods. For example, FTP and Telnet need to regularly reauthenticate access credentials. Usernames and passwords are sent as text that can be easily accessed by third parties.
Data transfer should be done using sophisticated encryption protocols when transmitting and backing up data.
What Can I Do To Help Employees?
Your employees are your first line of defense against a cyberattack. Automation and education are the keys to prevention.
You need to make sure they are aware of methods used by bad actors and can detect suspicious emails and attachments that pose a major risk to the practice.
It also means making sure you have automated security tools in place to prevent attacks. You need to provide anti-spam, anti-malware and anti-phishing tools that run automatically on every connected device on your network. These software apps should be updated automatically to address the ever-emerging new viruses, worms and trojans that do damage.
You also need to make sure that patches to software and operating systems are applied automatically and immediately.
With some careful planning and the right technology partner, your health care business and its data will remain safe.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.