What is Cybersecurity?
Cybersecurity is the protection of data and systems in networks that connect to the Internet. Physicians and practices should consider the following to protect themselves against unauthorized access to their data and systems:
- Use strong passwords and change them regularly.
- Install anti-virus software.
- Train employees in key areas – Acceptable use, password policies, defenses against social engineering, and avoiding phishing attacks.
- Create security policies and make sure all employees commit to them.
- Encrypt all records and confidential data to be more secure from cyber attack.
- Perform frequent backups and keep a copy of recent backup data off premises.
- Defend your network behind your firewall and make sure you can block rogue access.
- Deal with the bring-your-own-device dilemma by standardizing security protocols.
- Control access to PHI.
- Control access to devices.
Another option is to hire a company to do the above for you. HealthITSecurity.com reviewed some of the top healthcare cybersecurity companies.
How to Implement a Cybersecurity Program
What is Ransomware
Ransomware is a form of malware that locks computer files with encryption, preventing the user from gaining access to their data. A security key must be used to decrypt locked data. That security key is held by the attackers, and is only released when a ransom is paid.
If you have cybersecurity questions, call TMA's Health Information Technology Department at 800-880-5720, or send an email to HIT@texmed.org.
How to Report a Cyber Incident to the Federal Government
HHS defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” If you suspect an information security or privacy related incident, contact your OPDIV Chief Information Security Officer or the HHS Computer Security Incident Response Center (CSIRC). The HHS CSIRC can be reached at firstname.lastname@example.org or 866-646-7514. Read more here.
My entity just experienced a cyber-attack! What do we do now?.
What is a Risk Assessment?
A risk assessment involves identifying the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data, intellectual property, etc.) followed by identifying the various risks that could affect those assets.
How to Conduct a Risk Assessment
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.
Tool Kits & Resources:
- ONC Security Risk Assessment Tool - The Office of the National Coordinator for Health Information Technology (ONC) developed a downloadable SRA Tool to help guide you through the process of a security risk assessment.
- ONC Security Risk Assessment Videos - Information on what a risk assessment may involve
- ONC Top 10 Myths of Security Risk Analysis
- Texas Medical Liability Trust (TMLT) - Offers solo and small group practices and medium to large practices low cost tool kits and help conducting the security and risk analysis.
- ONC SAFER Guides - Recommendations on what practices need to do to achieve safe and effective electronic health record (EHR) implementation and use. The recommendations should be considered proactive risk assessments that aim to mitigate and minimize EHR-related safety hazards. Includes recommended practices as well as examples.
For more information on HIPAA and the HITECH Act, click here.
Insurance and Liabilities
One of the greatest threats to physician practices is the increasing number of stolen laptops, and other electronic devices which causes a security breach for the entire organization. In addition to this, limited access to hospital portals and EHRs can create password sharing among employees, which in turn creates a greater risk for PHI to be compromised on the practice end as well as putting the hospital at risk for a security breach.