The possibility of cyber liability (the threat of liability due to unlawful access to electronic data) has been in the news recently. The reports of security issues include losses by large and small providers. Based on the reports in the media, it would appear that no one is immune to this threat. While there can be no guarantee of immunity, there are things that healthcare providers can do to reduce the threat of loss.
The first step is good, old-fashioned physical security for devices that store electronic data on patients and employees. Many reports of loss stem from simple loss of custody of devices, either through inadvertent loss or criminal actions. Data and devices are valuable assets and should not be handled and stored carelessly. Offices should have multiple layers of security, including the following:
- Exterior doors and office doors should both be locked.
- A burglar alarm should be installed.
- Portable devices should be locked to a fixed object with a wire cable. Portable devices should not be moved from a secure location unless suitable steps are taken to ensure their security.
All devices should be protected from inappropriate access. They should be password-protected and the passwords should be difficult to overcome. Passwords should have a combination of uppercase and lowercase letters as well as numbers. Any device protected by a poorly constructed password (e.g., 1234) is not really protected. While requiring staff members to change their passwords regularly or requiring separate passwords for different applications may increase security, it also tempts staff members to write their passwords down, which diminishes their security immensely. This advice should be applied to any electronic device that has sensitive data on it such as desktop and laptop computers, smart phones, tablets, etc.
All devices should be electronically secure as well. This includes the installation of anti-virus and anti-malware software. It also includes backing up the computer regularly so that if an attack occurs, the files on the computer can be taken back to the last virus-free time. Additionally, new software updates to increase the security of the machine(s) should be installed as soon as they are available.
The facility or practice should also be covered by cyber-liability insurance. If data is lost or the system is paralyzed, there will be expenses involved.
Finally, staff members need to be trained on the ways to prevent unauthorized access to their machine and the network. They should be aware of “phishing” e-mails that seek to implant a virus on the machine when an attachment is opened or a link is clicked. If the staff member receives an e-mail from an unknown source with an attachment or link, they should be very wary of opening it.
There are no guarantees of security in cyberspace. However, there are things that can be done to reduce the threats that healthcare providers face in this uncertain age.
Interested in learning more for CME?
Review our course: Information Security Tips for Healthcare Professionals