If you work in the healthcare industry, you are probably well aware of the importance of cyber security. From major health insurance companies like Premera and Anthem, Inc. to hospitals and physician practices, healthcare companies are often the target of cyber attacks. When an attack occurs, it can result in the disclosure of Protected Health Information (PHI), which can subsequently have wide-reaching ramifications for the respective practice. So today we're going to reveal some of the most common cyber security mistakes made by healthcare workers.
Not Using an Auto-Logoff Feature
Why should you use an auto-logoff feature? If a someone in your healthcare practice access the network but doesn't log off, someone else – a person who isn't authorized to view PHI – could use the machine to view sensitive patient information. Instances such as this are easily avoided, however, by implementing an auto-logoff feature in which users are automatically signed off after X minutes/hours of inactivity.
Clicking on Links in Emails
It may seem harmless enough, but you should avoid clicking links in emails. Even if the link looks legitimate, it could infect your healthcare practice's network with malicious software. Knowing as “phishing,” this is an all-too-common tactic used among hackers to access otherwise protected networks.
Using Poor Passwords
Granted, it's easier to remember a password like “Myspace123,” but just because it's easy doesn't necessarily mean it's the best choice. Simple passwords such as this are a serious cyber security mistake, especially when it involves healthcare systems and networks. A strong password should consist of a combination of upper-case letters, lower-case letters, numbers (in non-sequential order), and special characters.
No Remote Wipe Feature
Let's hope it never happens, but if a laptop or other storage device was ever stolen from your healthcare practice, would it result in the disclosure of PHI? You can mitigate the risk of data disclosure by implementing a remote wipe feature. If a laptop is ever stolen, you can then wipe the sensitive data from it.
Storing PHI Without Encryption
While the Health Insurance Portability and Accountability Act (HIPAA) of 1996 does not specifically require covered entities to encrypt their data, it's a still a good idea to do so. Encryption will prevent hackers or other “prying eyes” from reading the document's contents. Technically, the document can still be retrieved, but it won't be readable unless it can be decrypted.