Cybersecurity best practices for your healthcare practice: Start with education

Privacy is a top concern for individuals across the digital world, but that is especially true for patients and their protected health information (PHI), which commands a high price tag on the dark web. Unfortunately, the reality is that cyberattacks on healthcare networks have increased exponentially in recent years, placing highly sensitive patient information at risk. Healthcare IT can help by stepping up security measures, and organizations can provide updated cybersecurity training for staff.

Here are some of the key cybersecurity fundamentals and best practices to follow:

Conduct healthcare cybersecurity training

Human error or neglect can have serious and costly consequences for healthcare institutions. Cybersecurity training provides healthcare personnel with the information they need to make wise decisions and exercise appropriate caution while managing patient data. In particular, effective cybersecurity training should help employees recognize and halt attacks before they cause damage. A good place to begin is consulting with a reliable cybersecurity provider who will work with you to tailor a cybersecurity and employee training program to safeguard your data.

Another reason cybersecurity training is vital is because it’s mandated by HIPAA. Specifically, the HIPAA Privacy Rule contains a provision requiring a provider to “train all members of its workforce on the policies and procedures with respect to PHI,” and the HIPAA Security Rule includes a similar requirement for a provider to “implement a security awareness and training program for all members of its workforce (including management).” With that training in place, and repeated often, employees are better equipped to recognize situations where the use of PHI warrants special protections, such as the use of HIPAA compliant email or role-based access controls.

In addition to recognizing threats, employees must also be trained on the organization’s data incident reporting protocol when an employee's device becomes infected with a virus or performs abnormally. Warning signs for such problems may include a machine running slowly, unexplained errors, changes in the way a computer functions, etc. They should understand how to identify a genuine warning message or alert and promptly report such incidents to IT staff.

Stay up to date on HIPAA Privacy and Security Rules

Beyond the training requirements noted previously, the HIPAA Privacy and Security Rules include a wide range of provisions to help safeguard patient data.

HIPAA's Security Rule ensures the security of electronic health information created, used and maintained by covered entities, i.e., organizations that are subject to HIPAA. In the HIPAA Security Rule, policies and procedures are established for how protected health information should be managed from administrative, physical and technical perspectives.

In accordance with the Privacy Rule, information cannot be used or shared without the patient's permission. According to the HIPAA Privacy Rule, personal health information, including medical records, insurance information and other sensitive data, must be protected.

Those rules have experienced a number of updates since they were first added to the HIPAA law in 2000 (Privacy Rule) and 2003 (Security Rule), including the recent Notification of Enforcement Discretion for Telehealth, which was enacted during the pandemic to give providers more flexibility in using remote communication tools for telehealth.

It’s important for healthcare providers and staff to stay up to date with HIPAA regulations and rules as part of their cybersecurity training.

Use strong passwords

Passwords can be an easy target for exploitation by bad actors. One of the most serious dangers to company security is a weak password. Organizations like the National Institute for Standards in Technology (NIST) regularly publish and update recommended password guidelines. The latest NIST recommendations* include:

• Password length is more important than password complexity.
• Do not enforce regular password resets.
• Implement 2-factor authentication, which requires an additional form of identification – such as access to an email account – be used to authenticate a user.
• Use a password manager, which encourages employees to choose stronger passwords

Beware of unknown emails

One of the most common ways that hackers acquire access to a company's network is through email phishing attacks, also known as email spoofing or email impersonation. Phishing is a malicious attempt to trick recipients into giving up personal and online account information in order to access and exploit more valuable and sensitive systems.

Within healthcare practices, display name spoofing – a targeted phishing attack where an email’s display name is altered to make a message look like it comes from a trusted source – is a frequent attack strategy used by bad actors. While there is technology designed specifically to combat display name spoofing, when it comes to training, it’s important for employees to understand the who, what, where, when and why of every email they receive. Specifically:

• Never click blindly on an attachment or link.
• Beware of messages that seem too good to be true or too urgent.
• Hover over the display name to see the sender’s email address.
• Check not only the email address but all email header information.
• If using a mobile device and unsure of a message, open it on a computer as well.
• If suspicious of an email, contact the sender another way.

The best defense

The best defense is often a good offense and being prepared and educated about cybersecurity threats is of the utmost importance for healthcare practices. The combination of strong IT safeguards, as well as a cybersecurity-aware staff, can go a long way to conducting your practice in a safe and secure manner.

Shawn Dickerson is Vice President of Marketing for Paubox, a leader in HIPAA compliant email and marketing solutions for healthcare organizations.