Educating Staff Is Vital
Teaching staff to be particularly careful with emails, particularly those with attachments, and text messages is essential. Emails that look very legitimate may have telltale signs, such as the source links, to help with fraud detection.
These electronic attacks can be very deceptive and appealing. Not only do they still succeed at an alarming rate, but it is true that even telephonic impersonations succeed today, despite HIPAA prohibitions and precautions. In fact, HIPAA places a particular burden upon every practice to meet compliance and risk abatement best practices routinely.
The first and foremost step in cybersecurity is management of personnel. They must be taught, and reminded, of how important security is to the practice. Failure to maintain security can lead to data loss and related expenses; slowed access and responsiveness at work terminals; and loss of system integrity, ransomware, and even practice closures, whether temporary or permanent—with commensurate changes in employee paychecks.
Basic levels of practice protocol should include making sure that all systems use up-to-date operating systems and browsers and that they are regularly updated. It is tragic how out of date some practice's systems can become.
There are also resources available, including those from the Internal Revenue Service and the US Securities and Exchange Commission, that provide tips on how to avoid phishing and scams.
Emails Are Targets
Despite browser and security updates, email remains vulnerable. It is essential that staff privileges be curtailed when it comes to accessing services at work—especially social media. That means you need to have a policy in place regarding your staff using social media from work. Communicate that policy, and be prepared to enforce it. Of course, that raises the problem of, how do you know whether they do it or not?
The combination of home and work via smartphones also poses a risk, because they contain both social media apps and apps for accessing electronic health records (EHRs) and portals.
The security of text messaging is another common vulnerability for which additional apps are available to improve HIPAA compliance and security. Such vulnerabilities may be limited by meeting current goals of having every provider practice to the full extent of their licenses.
Staff should only be "licensed" enough to complete their job description. Furthermore, if traffic patterns suggest access to certain external websites or types of websites, the access to these sites should be reviewed and access prevented.
Medscape Business of Medicine © 2017 WebMD, LLC
Any views expressed above are the author's own and do not necessarily reflect the views of WebMD or Medscape.
Cite this: Gregory A. Hood. How to Prevent Costly and Dangerous Cyberattacks - Medscape - Apr 25, 2017.