7 steps to mitigating your cyber risk

February 21, 2019

Cybersecurity is a real and serious issue, but taking these seven steps can drastically lower your practice’s exposure to a cyberattack.

Continuing cyberattacks on healthcare providers emphasize the need for medical practices of all sizes to make cybersecurity an essential part of their business. Here are seven steps to strengthen your practice’s cybersecurity position. 

1. Conduct a risk assessment 

Successful cybersecurity begins with understanding the actual threats and vulnerabilities your practice faces. A cybersecurity risk assessment lists the practice assets that could be subject to cyberattack (such as hardware, systems, mobile devices, patient data, etc.), identifies the possible threats to those assets, and evaluates the likelihood of the identified threats actually occurring. This allows you to focus resources on the risks most likely to occur and prioritize which vulnerabilities to address first. 

A risk assessment also is important in the event of a data breach. It shows you acted reasonably in identifying and addressing potential threats and may be required to obtain cybersecurity insurance.

2. Secure your systems

Unprotected systems and outdated programs and software are frequent points of attacks for cybercriminals. To safeguard your systems:

  • Install antivirus and anti-malware software to scan email attachments for viruses and your system for malware.  

  • Install a firewall to protect your network by monitoring and controlling the incoming and outgoing data streams.

  • Regularly update your programs and software. Promptly install all software updates since these often contain security patches addressing vulnerabilities discovered since the last update.  

  • Encrypt your data. Several readily available programs allow you to encrypt a select group of files, or for a more secure option, your entire hard drive.

  • Regularly back up your data to a secure cloud platform, an external hard drive, or to both. Backups will enable you to recover your data in the event it is damaged, lost, stolen, or held hostage with ransomware.

3. Restrict access to data 

Not every staff member needs, or should have, access to all of your practice’s data. Staff should have access only to data they need to properly perform their job functions. Determine access and privileges by following a three-tiered data classification system which restricts access according to data sensitivity.

Public data is non-sensitive data that poses no risk to the practice or patients, requires minimal security, and may be accessed by all staff. Private data is moderately sensitive data that poses a relatively low risk, but should be handled guardedly with limited staff access. Sensitive data is data that if compromised could cause severe damage and requires a high level of security. Access to sensitive data should be permitted only on a need-to-know basis.  

All data should be accessible only with user authentication to verify the person accessing the data, and audit logs should be created to monitor access. 

4. Mobile devices 

Many practices allow employees to bring their personal mobile devices to use at work (bring your own device, or BYOD). While BYOD is convenient, it also raises security issues, as personal devices can have outdated operating systems, lack minimal security controls such as password protection or encryption, and may be easily lost or stolen. 

Adopting a well-defined BYOD policy helps lessen the security risks. A BYOD policy should address which devices may be used on your network and require the use of passwords or biometric authentication, regular updates of the operating system and installed apps, installation of anti-malware and antivirus software, and a remote wiping program to delete data in the event the device is lost or stolen. 

5. Educate your staff

Your staff can be either your best defense against cyberthreats or your greatest weakness. The most sophisticated technology won’t protect against a staff member inadvertently opening a phishing email, inserting a malware-loaded USB drive into a computer, losing a mobile device, or connecting to an unsafe wi-fi network-all risks that can be mitigated through security awareness training. 

An effective security awareness program should teach all staff to understand the threats and vulnerabilities to the practice (phishing, social engineering, lost or stolen mobile devices, outdated software, etc.) and their responsibilities in defending against these threats and vulnerabilities. Broad advice such as “use strong passwords” or “don’t open phishing emails” is meaningless. A more effective approach is to teach staff how to create stronger passwords, how to spot a phishing email, and how to integrate cybersecurity best practices into everyday use. Empower your staff to take an active role in the practice’s cybersecurity. Provide periodic instruction to reinforce prior learning and enable staff to keep up with constantly changing and evolving cybersecurity threats.

6. Manage your third-party vendor risks

Several of the biggest security breaches in recent years originated with third party vendors. Mitigate your third-party risk by adopting a policy that limits vendor access to your data and network. As with staff, vendors should be able to access only the data and portions of your network necessary to perform their duties. 

In addition, frequently assess your vendors’ security practices. Ask vendors whether they employ security controls, provide cybersecurity training for their employees, and regularly patch and update their software and vulnerability protection. A vendor’s security practices should be no less diligent than yours. 

7. Develop an incident response plan 

Despite best efforts, breaches will occur. Identifying, responding to, and containing a breach quickly can significantly reduce the cost and impact of a breach. An incident response plan (IRP) establishes a framework for detecting, acting upon, and limiting the effects of a data security breach. An IRP typically addresses who within an organization is responsible for investigating a security incident, what resources (technical, forensic, legal, public relations, etc.) are available, and enumerates the incident assessment, countermeasures, and corrective and notification actions to be taken. 

Cybersecurity is a real and serious issue, but taking the above steps can drastically lower your practice’s exposure to a cyberattack. Remain vigilant about your cybersecurity position as you would your practice’s physical security, and you will be much more likely to avoid a breach and the resulting costs and damage to your reputation. 

Joseph E. Guimera, JD, is an attorney and founder of Guimeralaw Cybersecurity Advisory where he helps organizations plan, build, and execute cybersecurity programs. He can be reached at jguimera@guimeralaw.com.