How to secure your medical practice against cyber threats – even if you’re working from home

How to care for COVID-19 patients is not the only question haunting physicians. Here are three cybersecurity issues that probably trouble them even more. 

1. How safe is my personal computer, if I have to work from home?
2. Can I use my mobile phone to access the office EHR? 
3. What are the chances of my practice getting crushed by a ransomware attack?

Phishing and ransomware attacks are threats as real as COVID-19 for every medical facility. 

The FBI notification of April 1, confirms this threat. It reported more than 1200 complaints related to COVID-19. The reported incidents include, phishing attacks against first-responders and ransomware attacks on medical facilities. 

Information security has always been the top healthcare priority. But now, with physicians working away from their secure office networks – this subject needs urgent attention. Based upon the AMA and AHA recommendations for physicians, this blog article addresses the following four cybersecurity issues.

1. Securing your computer 
2. Securing your mobile devices
3. Protection of home network
4. Working with medical devices

The two biggest cyber threats – Phishing and Ransomware

Phishing and ransomware have been identified as the two biggest cyber threats to healthcare practices, and you as a healthcare worker should grow weary of the threat they pose. The year 2019 was particularly a dreaded year with several practices forced to stay shut for long periods due to Ransomware.

Phishing attacks, especially spear phishing, are the first to look out for. A phishing attack is what mostly precedes ransomware attacks. They can even lead to malware attacks that attempt at stealing medical records from your computer and office networks. Be very careful when clicking links, opening attachments, and downloading files. 

First thing that you need to tackle this challenge is to make your computer safe. Here are the essential steps that must take:

1. Make sure that every member of your staff has a unique login name and password.
2. Have strong passwords 
3. Bar all users from using Administrative login. Create limited access accounts for everyone. 
4. Use only safe, and necessary software. Audit the software installed on your computer – Delete any unfamiliar software as soon as you find it.
5. Keep your operating system, browser and software updated. These updates often address security issues. If this is not done on time, it can lead to theft or destruction of patient information. Check your computer and browser settings, if an update is pending then run it. If workable, activate automatic updates. 
6. Buy and install an antivirus software. Run anti-virus software updates at least once a week. 
7. If you use MS-office, then disable macros. 

Here’s the AMA checklist for more tips on securing your computer. 

Use Virtual private network (VPN) 

The next thing to consider is connecting your home devices to your office network. Unsecure connections can get intercepted by cyber criminals. 

Consider using a Virtual private network (VPN) for connecting with your office network. If you need to access patient records or diagnostic images stored in your EHR system, use the VPN. It’s very much a virtual wire to your office computers. Because a VPN connection is encrypted, you won’t have to worry about people snooping on your computer. 

Protecting your emails from phishing attacks 

Most malware and ransomware attackers sneak in through your email system. Your first line of defense is to activate email protections, such as advanced threat protection (ATP). ATP can detect malware based behaviors and warn you in advance. 

Another important protection is establishing multi-layer authentication in your processes. If you receive an email request for sharing data or changing payment information, call and get a verbal confirmation.

Other important suggestions include, enabling

1. Multi-factor login authentication
2. Lock-out feature for repeated incorrect login attempts
3. ‘External email’ banners for outside emails
4. Application whitelisting for apps that can run on your system

Have a back-up strategy

If your firm gets hit by a ransomware or malware attack, it’s really difficult to get your computers back. Experience shows that paying ransom, too, doesn’t work in most cases. The best protection against such attacks is to have a data back-up strategy and getting an insurance policy against cyber threats.

Consider using the 3-2-1 rule to create your backup 

1. Have 3 offline segmented backup copies of your data
2. Use 2 different storage media types
3. Have 1 cloud based backup.

And, ensure direct and cloud access to your backup data is highly restricted. 

Review your cybersecurity insurance 

Review your cybersecurity insurance, find out what’s covered and what are the limitations of your policy. 

What if you get hit by a cyberattack?

Notify your financial institution immediately. 

The probability of you getting your money back remains high in the first 72 hours. At the time, find a complaint with the local FBI field office and at the IC3 website – they would work with you and your institution to get your funds back.

How to get your data back?

Prepare a list of Forensic firms who could help you recover your data in the event of a ransomware or malware attack. Contact the FBI. They may be able to work with you and other agencies to help with decryption of your data (jargon) or in negotiating with the perpetrators. 

But sometimes I use my phone for work purposes! 

It’s recommended that whether you use a personal computer, a laptop, tablet or a mobile phone, use a VPN to access your office network. 

Which VPN to use? 

Contact your EHR vendor to figure out which VPN would they recommend to be used with their software.

However, just using a VPN isn’t enough. Again, ensuring strong safety measures are necessary to ensure that your network doesn’t get hacked. Multi-factor authentication, strong password practices, timely security updates, remain the most important protections against intrusions. 

EHR and telemedicine Apps

If you select to work using your mobile devices, you may want to consider apps that allow you to manage your EHR from your device. There are apps available for providing telemedicine services and communicating with your patients. 

You’d also come across apps that support all three – managing EHR, telemedicine services and communicating with patients. But, before you start using an App, it’s best to consult with your EHR vendor first. Find out 

• If they endorse the app that you want to use
• If they have an in house Apps
• Recommended apps
• The compatibility of the app at you select with your devices

Also, go through the App list on this page when choosing your telemedicine app – these apps are known to agree to get into business associate agreements with covered providers. 

Safeguarding your home network

The biggest trouble which you might come across would be to safeguard your network connection. At hospitals and clinics, this work was being done by a professional IT consultant. Now, the entire onus for the protection of your network falls upon you. 

Weaknesses in your home network can be exploited and impact patient information. The risks include devices such as your printer, mobile phone, tablets, computers sharing networks, and so on – If any of them gets compromised, your electronic health data can get compromised. 

Here’s the document from AMA to help secure your home network from cybersecurity threats. 

Precautions with Medical Devices

Your medical devices too aren’t safe from cyberattacks. Medical devices are often exploited by criminals to launch malware and ransomware attacks. 

Here are a few steps that you can take

1. Involve your information security team when acquiring new medical devices. They should also be involved with daily use and maintenance of devices with you. 
2. Maintain an inventory of medical devices with you, classifying which devices network connected, network capable, and stand alone. 
3. Keep an inventory of the operating systems, firmware, and software applications contained in your devices. Ask the manufacturer to provide you with a ‘software bill of material’ for your devices. 
4. Install updates and patches as soon as a vendor releases a new version. 
5. Disconnect vulnerable medical devices from your network. 
6. Use proper access controls, password protection, and encryption for your devices.
7. Remove all unnecessary information stored on your medical devices.

Information security is considered as a top priority by all healthcare organizations. If you need any help with your Information security systems, or if you want to share your views with our readers, please leave a comment in the section below. Our readers would be happy to reply to your queries.