Five Tips for Improving the Security of Your Practice
Minimizing your risk of a cyberattack must be your priority in today’s environment. The days of strictly relying on your IT company, firewall and anti-virus software to mitigate threats are over! Cyberattacks can present themselves in a multitude of ways and are often initiated from within your practice. A great example of this is a spear phishing email attack where you or your team members receive an email from someone you “know or trust.” They will click on an attachment only to discover that the attachment was a piece of ransomware and now you have a potential data breach on your hands. How can you minimize your chances of a breach? Engage with a company who can independently audit the security put in place by your IT company, train your staff on cybersecurity threats, and make sure to implement these best practices.
1. Wi-Fi Security
Current Wi-Fi standards can be easily cracked. Until a new standard called WPA3 is released, a practice should consider a hardwired solution in place of Wi-Fi as current Wi-Fi standards can easily be hacked. Your network should be segregated into two distinct segments: (1) your business network and, (2) your guest network. Make sure your IT company implements a VLAN (Virtual Local Area Network) to separate your business network from your guest network. The guest network should be used for patients and team members.
2. Two-Factor Authentication
Two-Factor Authentication, aka Multi-Factor Authentication, is a powerful tool that can help prevent the takeover of vital assets such as email and bank accounts Go into the settings section for your accounts and turn-on multi-factor authentication. If you are not sure how to change your settings, contact the vendor or do a Google search. Multi-factor authentication uses another known device to confirm your identity. For instance, when you go to log into your email account from an “unknown” device, your email provider will not recognize that device and will send a code to your cell phone. Enter that code into the login screen for your email system and it then authenticates you. In the event that a hacker obtains your username and password, two-factor authentication can often block them from accessing your account.
3. Social Engineering
Social engineering is a process by which a hacker tries to gain access to your office or systems by convincing someone in your organization to give up critical information (such as a user name and password) to exploit your data. Another scam occurs when a hacker makes a phone call to your office indicating that they are from your software or hardware vendor and they need to make updates to the system through a screen share. If one of your team members falls for the scam and agrees to establish a screen share with the caller, the hacker potentially has complete access to your system.
4. Business Associates Agreements (BAAs)
Any entity who has access to your patient records or network must have a business associates agreement executed with you, the covered entity (doctor or practice). Examples of business associates are: IT companies, consultants, accountants, software companies, imaging companies, cloud backup solutions, etc. In the event of an audit or breach, The U.S. Department of Health and Human Services Office for Civil Rights will request a multitude of documents from you, including copies of all your signed BAAs.
5. IoT (Internet of Things)
IoT devices, such as smart TVs, digital picture frames, digital thermostats, home/office automation, etc. are gaining popularity in the dental space. These devices, however, often have vulnerabilities that hackers can easily exploit and can compromise your patient database. By working with a cybersecurity company, such as Black Talon Security, vulnerabilities can be easily identified and mitigated…minimizing your chances of a data breach. Make sure that complex passwords are in place for these devices and that they have the latest software patches installed.
Black Talon Security specializes in PCI Scanning, HIPAA Compliance and Cybersecurity, and can help mitigate your risks of a cyberattack and insure that you are complying with both state and federal laws.
Practitioners must understand that their network should be independently audited by a cybersecurity company to make sure that your IT company has not missed critical vulnerabilities that a hacker can exploit to gain access to your network.