Data breaches are as prevalent as ever, with news of large-scale breaches, such as tech-giant Facebook and insurance company Anthem—which recently paid out $16 million over a 2015 data breach—popping up on the news nearly every week. Medical practices, though not necessarily a large target like major corporations, are often easier targets because of the personal and financial information available.
Here are five tips for avoiding HIPAA-related data breaches:
- Perform a Risk Analysis of Your Staff and Your Security Procedures
At least once a year, conduct a risk analysis of your staff and your practice’s procedures. This can be quite technical, including testing firewalls and antiviral software. It also includes making sure that passwords are updated and changed, all software patches have been installed and software or technology is updated. Consider hiring an outside firm with expertise in HIPAA requirements to conduct this analysis. Your initial outlay will likely pay off in the long run by preventing future breaches.
- Designate a HIPAA Security Officer
Designate a member of your technology team to oversee your annual risk analysis and update any policies and procedures. This person also needs to lead the charge in educating and monitoring the staff on compliance with HIPAA and cybersecurity procedures.
- Hire a Consultant
If you have never done a HIPAA risk analysis, or you have not updated yours in a while, hire a consultant. They are knowledgeable on the relevant rules and regulations and can help review procedures and technology, which are constantly changing and requiring updates.
- Take Cybersecurity Seriously and Invest in Countermeasures
The cost of investments in your cybersecurity program are insignificant when compared to the cost of a single data breach on the reputation and integrity of your practice. Invest time and resources in your cybersecurity program, including the development of policies and procedures, training employees, hardware and infrastructure updates, anti-phishing, anti-malware and anti-virus countermeasures, and even cybersecurity insurance.
- Be Skeptical and Suspicious
We tend to think of hackers as computer nerds that write programs that hack into your data unbeknownst to you. In reality, most data breaches today are the result of stolen credentials, often obtained through social engineering whereby the hacker tricks the user into giving away their username and password. Often this is done by soliciting employees to click a malicious link and log into a fake website. Constant communication and training to staff to exercise caution when opening attachments or clicking links from unknown senders is a must.
Guard it with your life
There is nothing more personal or valuable than a person’s health information. Experts estimate that a person’s health information is anywhere from 10 to 40 times more valuable to cybercriminals than credit card information, which makes medical practices an attractive target. Take it seriously and take the necessary steps to safeguard your patient data, and by extension, your practice.