Skip to content
CyberSecurity Advise for Healthcare Managers
In the healthcare industry information security is paramount. Maintaining healthcare IT security is critical in order to maintain HIPAA compliance and to protect patient information – and there are a number of concerns that should be addressed to help prevent security issues. It certainly can be overwhelming, especially since new security threats are cropping up daily. Today, many medical practices are turning to qualified professionals to assist in protecting electronic Protected Health Information (ePHI) and keep them HIPAA Compliant. At Jeter IT Solutions we believe establishing a security culture is paramount for the continuity of your business.
Here are some best practices to help ensure your medical practice’s IT network is secure
Think about your employees. Provide security training on the basics, on the principles of security and on situational awareness to ensure swift reporting of situations that could foretell security issues.
Strictly enforce and promote “Minimal Necessary Access” with your staff and others. Make sure access is limited to that which is necessary to carry out one’s functions and that only the minimum amount necessary is shared with others who request data.
To the extent possible maintain the latest software, browser and operating systems.
Windows XP and Server 2003 are NOT compliant and should be replaced ASAP. The most consistent way to reduce the risk of exposure and compromise is maintaining an up-to-date enterprise. Also, run the latest antivirus software and update it regularly.
Put a firewall in front of your network between you and the Internet.
Consider outsourcing management of this device to a credible Managed Service Provider. Firewalls can be complex and definitely require monitoring, but finding the right partner here can be invaluable. Firewalls provide detection of and protection against security threats to your network. They act like a giant moat and gate to your network. Todays firewalls include a number of great features that can harden your network against outside threats and internal user behavior. Features like Intrusion Protection and Intrusion Detection, Spam Filtering and traffic monitoring can be extremely worthwhile investments. At a minimum make sure they’re properly installed and configured to allow only the minimum amount of access needed to run your medical practice.
Perform and encrypt offsite backups.
HIPAA requires that medical practices be able to recover 100 percent of patient data in the enterprise, and your business demands that you can restore systems in a timely manner. Back up everything (apps, systems, data) regularly and store them in a safe off-site location. Consider utilizing a disk to disk image based backup (instead of tapes) of your entire system to decrease downtime and improve your recovery time objective (RTO). Additionally, insure any backups are encrypted and sent offsite periodically for safekeeping.
Provide for appropriate physical security of your facilities as well as your systems and information.
All servers and infrastructure devices should be kept behind closed doors. You may even want to limit access by requiring electronic passkeys to enter your server room. Another option is to ensure your server room is locked at all times with only administrators having the key.
If you have WiFi protect it properly.
Only WPA2 encryption meets the standard for Safe Harbor. Make sure you use it. The cost of a breach can be devastating to a small practice; using the right encryption can eliminate that risk. Make sure you are not broadcasting your network name (SSID) and use MAC address filtering. Make the bad guys have to work to find you.
Use strong passwords and change them regularly.
In the Password Management Section of HIPAA’s Security Standards: Administrative Safeguards requirements, it states that “Entities must ensure that workforce members are trained on how to safeguard the information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.” While it does not state a specific time frame for periodic changes, best practices are to update passwords every 30-45 days. This should be an automated process defined in your group policies. Passwords should be strong, containing a combination of capital and lowercase letters, numbers and symbols and should be at least 8 characters or longer. Passwords should never, ever, be left out in the open or written on post it notes. If you or your employees have trouble remembering passwords consider investing in a password management software. They are relatively inexpensive.
Use email spam and virus filtering.
It’s been estimated that spam emails cost society upwards of $20 billion a year, including lost productivity. A properly configured spam filter will improve productivity, while protecting you from malicious attacks and preventing your team members from falling for phishing emails. Stay away from free antivirus software solutions and only go with the best well known vendors. A good solution should be able to provide you with reports on its performance.
Assess and Test Annually.
If you want to be compliant you must constantly be assessing your systems and processes by conducting IT audits, risk assessments, and vulnerability testing. Jeter IT Solutions conducts these reviews for our clients to develop a 12 month road-map and budget that prioritizes our action items. We go through these with our clients during their quarterly business reviews.
Contact us to find out what IT support and HIPAA compliant IT solutions we can offer your practice.
Share This Story, Choose Your Platform!