This article is more than 5 years old. Information may no longer be current.
Expert provides 7 tips on protecting your cyber data
ATLANTA – Ransomware and security attacks are increasing in frequency for small- and medium-sized businesses, Mark Haskelson said, but optometrists can take seven steps to protect their practices.
Haskelson, president and CEO of the Compliance Group, spoke at SECO’s MedPro 360, which was partially sponsored by Healio.
“Ransomware won’t break the bank, but the cost of down time, data loss and possible fines and notifications will,” he said.
Malicious emails and lack of employee training make practices vulnerable to ransomware, Haskelson said. Phishing scams occur through emails that seem legitimate.
“If you have a breach, you have to report it to the government because it is a HIPAA violation and you will get audited,” he said. “You are also mandated to report this to the patients involved. In a small town, if people find out their information was accessed inappropriately because of you, they may not come back to you.”
Haskelson explained how ransomware works.
“You open an email, click on a link, and it slinks into your system. It can lay dormant,” he said. “When it shows up it encrypts your data so you can’t access it or removes the data from your organization and places it somewhere else. You may get the data back, but often it’s not in a form you can use.”
Frank Abagnale, who was made famous by the book and movie, Catch Me If You Can, and now works for the FBI, said, “Every security breach that’s occurred was caused either because you didn’t have a policy or procedure or someone whose job was to ensure it was enforced failed to do so,” Haskelson said.
“When you get a notice that some software on your computer needs to be updated, it’s probably because there’s a threat and they’re putting in a patch to prevent it,” he said. “Back-up and disaster recovery is the best defense against ransomware. You have your data stolen by ransomware, you access your back-up and you’re good to go.”
Haskelson recommended “business continuity planning,” which takes into account power outages and the Internet going down.
“Can I still see patients? For every function we have in our business, do we have a plan on how you can take paper charts if your Internet goes down?” Haskelson said.
The most fundamental thing you can do to protect your practice is encrypt the data you work with, he said.
“Plus, you need a back-up,” he continued. “Don’t presume your EHRs are doing this – make sure they explain to you how they are encrypting and backing up your information.”
He recommended using the “3-2-1” rule: Have three copies of data in two different formats (one on the web as a drop box and the other as a physical hard drive), with at least one off-site.
“If you leave your back-up connected to the Internet all the time, it can get a virus,” he said.
Haskelson recommended implementing seven steps in your practice right now.
1. Get HIPAA-compliant.
2. Use strong passwords. The longer and more unique a password, the better. It is more effective to use a phrase than complex lower- and upper-case letters and symbols.
3. Show your staff members what to look for and have a prevention plan.
4. Do not allow all staff members to have administrative access to all of your systems.
5. Keep antimalware/antivirus software up-to-date. If providing Internet to your patients, set up a guest network.
6. Run all attachments through a spam filter.
7. Ensure a fool-proof back-up plan for fast recovery. Practice and make sure your staff members understand it.
Haskelson offered a free security and compliance checklist: https://compliance-group.com/simple-hipaa-compliance-checklist/. He said the American Optometric Association also has free resources. – by Nancy Hemphill, ELS, FAAO
Reference:
Haskelson M. Protecting your cyber data. Presented at: SECO/MedPro 360; March 3, 2017; Atlanta.
Disclosure: Haskelson is president and CEO of the Compliancy Group.