When talking computer use in any medically related field, we are talking security.
Probably the first thing that comes to mind for the professional medical officer worker is HIPAA (The Health Insurance Portability and Accountability Act of 1996) as well it should.
HIPAA dictates company policies around who should be able to view which patient’s record and how and mandates that you should have such policies. HIPAA also has rules around computer networking setups and use that must be consulted and complied with for technical a legal reasons. We will get back to this.
Let’s be very clear. If your firm handles medical data you have a target on your back, just as if you were processing credit cards. Most practices do both. Criminals are trying to get your data. Large criminal enterprises and small ones make a profession of hacking business data networks to harvest those numbers which they often resell to other organized crime groups that exploit the stolen information.
One of the most common misconceptions is that one is automatically safe if you keep your client charts and billing in an on line, cloud based, system. People think that they do not have to worry about backups or HIPAA if they use such a service. This misconception is often spread by the people who sell such services.
Just having your data in the cloud does not make you invulnerable to data theft or ransomware.
There is one person that has a vulnerable access to your data: YOU.
The hackers of today get into your system and work it as you, or one of your employees. They have professionals who search your files as you, find your notes and documents (usually the IT and cloud services passwords are in an unencrypted document on your network) they find the non-cloud data, they make all the copies that they need, including running a report and download from your patient records (often as a “backup”). What happens next could include them selling off the patient records, especially if they contain payment methods, and waiting until the buyers have finished harvesting them. It could also include putting a piece of ransomware software on your network giving it the time and methods to push out to all computers connected to your system and then triggered to encrypt everything. This is when you get the ransom message on your screen.
You never want to see that message on your screen. It usually means that you will not be doing any productive work that day, nor for a few more days. If you DO see that message, and most of us will, you want to make sure that you have a good recovery plan. What this company recommends to our clients is to plan for both the prevention and the recovery.
Prevention
Keep the user rights to a minimum. Of course the passwords should not be on your system. Rights to any data should be restricted to as few as possible and the form of those rights should also be restricted. Off site IT should be the only ones able to provide or change a password, configure a backup, export certain data, manage cloud services dashboards and grant access to any local shared file data.
Guard against intrusions. New routers keep an eye on intruders and limit what can be done through them, such as move data off site. Those routers have anti-intrusion software that works like anti-virus software, automatically updating and looking for trouble. Your anti-virus software on your laptop is probably not enough for intrusions and ransomware. Upgrade. And do not allow people to add their personal computers to your company network without a security inspection first.
Listen to your vendors. What does your on-line patient tracking system recommend? How about your credit card processor? On line accounting? Government reporting?
Follow the basics. Keep all systems updated both for security and systems. Do not use unsupported versions of Windows. Use a two-part authentication system for remote access.
Some of the worst recent news catching data heists have been due to skipping the basics or not doing them to the full extent needed. Those ended up being expensive cost cutting measures. In one case a transit company did not replace their Windows XP operating systems, making every one of those older computers vulnerable because they no longer received security updates. A couple of the big ransomware cases seem to have been hacked because someone was tricked into providing their individual password, and that was all that was needed to start controlling a computer on their system.
Recovery
There is a limit to how much you can and should spend in prevention. Don’t skimp and make yourselves an easy target, but keep in mind that some of these cyber criminals have sophisticated networks of highly trained computer technicians working every day to break into the latest routers and defeat the most modern anti malware software.
You should also know what to do if the prevention does not work. Some of the basics here could save your company a lot of time and money on a bad day.
Have all your data fully backed up at least twice. Our clients are advised to have a daily on-site and off-site backup running automatically. Think of the cloud data. Do you have an independent backup of that somewhere in case hackers got into your cloud controls? When setting up a cloud service, this is a question to ask the vendor’s techs (not the sales people) and make sure that such a backup function exists. Make sure that your backups include your software library. You should never have to pay for having your data back.
Backup your systems too. If you are hosting in house or in the cloud, make sure you have a safe copy of that virtual image. Since it is a full recording of a full computer, this image will allow you to rebuild without having to set up new security user and groups.
Have a plan. If you find that some of the systems are compromised, be ready to shut the whole thing down in a flash. Make sure that every employee from tech support to remote laptop users know what to do when the alarm sounds. The more computers that are shut down without being infected, the better your recovery will go. Other computers will need to be ready to be reinstalled fresh on new hard drives. The plan should also include not deleing the evidence that you may need for forensics, lawyers or the police.
Office network security is going to be more expensive even as the cloud gives us some great backup coverage and security protection that a small business could have never afforded on their own.
You can use this article as a first draft check list to see where you stand. If you are considering moving from office servers with a practice data base to the cloud, you will want to shop for the products that meet your needs, work well with the other software you will be using and is up to the security standards needed in today’s computer networking world.