According to the information released by the Health and Human Services (HHS) Office of Civil Rights (OCR) that hacking accounted for nearly 80% of all HIPAA breaches. In addition, this has increased by 46% over the last 5 years. This is a sobering reminder of just how serious this threat is to the small practice.
With the threat of fines also looming in these HIPAA breaches, the small practice is left with hard choices. Most practices don’t have the internal expertise to do all the things necessary to secure their networks. Most offices have that person who knows a bit about computers and can get printers working again. But now that person also needs to know about firewalls, reviewing logs, and creating security awareness training programs. It’s a lot for a small practice to take on.
Because of this, we are going to discuss some things that every practice can do to help lock down their networks and secure their patient data. These won’t prevent all attacks, but they will go a long way to making sure you are safe.
Quick Wins to Protect Against HIPAA Breaches
What are some things you can do now to help improve the security of your practice? While there is no substitute for having a thorough cybersecurity plan in place, there are some things you can do quickly to greatly reduce your attack surface and protect you against HIPAA breaches.
Humans are very bad at choosing passwords. One reason is that we have so many to remember now. But a strong password is your last line of defense from an attacker. Here are a few tips to help you choose attack-resistant passwords.
- Choose 3 or 4 random words and string them together – safety eagle truck apple
- Now add a number and punctuation to that string – safety4eagle*truckapple
- Capitoloze one or two letters and you have – safety4Eagle*truckApple
This is a 23-character password that is easy to remember and is extremely resistant to attacks.
Use a password manager. Password managers will create random, completely secure passwords for all of your online accounts. This ensures that each account has the highest level of password security. These passwords will all be stored encrypted in the password manager’s vault. You will only need to remember one password going forward – the one that opens your vault. In addition, password managers work on your computer and mobile devices so you can have your passwords with you wherever you may need them. Good examples of password managers are Bitwarden and LastPass.
This is a really good defense you can add to your accounts. Multi-factor authentication uses additional levels of authentication to grant access to your account. You are likely familiar with receiving a text message with a code that must be entered before you can log into an account. This is an example of multi-factor authentication. Your password, along with this code, are what grants your access. If a hacker were to steal your password, they still wouldn’t be able to gain access without having this code. This is one of the best ways to lock down your online accounts from attacks.
Most online accounts such as Facebook, Instagram, Apple, Google, Amazon, etc., all allow for multi-factor authentication. You can install a free app known as an authenticator app and it will generate a random code every 60 seconds. These apps are usually installed on your mobile device so that you always have them with you when you need them. Examples of these apps are Google Authenticator and Authy.
Phishing is the number one attack type that hackers will use to get into your network. This is because it is a low-risk, high-reward method for attackers. They can send out millions of phishing messages and if only a tiny fraction respond, they have a high chance of compromising a network. The best way to combat phishing attacks is by training your staff. But even the most suspicious person still makes mistakes and that is where email filtering comes in. Email filtering works by looking at all incoming emails and then deleting those from known phishing addresses or those that contain malware. If you’re using Microsoft 365, you can look into their higher-tier services to add filtering to your account.
In the past, simply having anti-virus software installed was enough to keep you safe. But over the last 10 years, this has really changed. Now malware contains software that is designed to exploit weaknesses in computers even before patches have been released. Because of this, anti-malware software has had to evolve well beyond the anti-virus scanners of old. Today, most anti-malware software relies on some form of artificial intelligence that works on a global scale so it can react much faster to possible attacks. This is especially helpful for ransomware attacks. Once an attack happens at one site, the anti-malware software can update the central server which will then update clients around the world. This allows for a much faster level of learning than in previous forms of protection. Windows has its own built-in anti-malware which isn’t bad. However, there are better options such as Sentinal One, Carbon Black, and others.
Those are some things you can do in your practice to quickly make things more secure. While these won’t keep out all attacks, they will go a long way toward reducing the areas where you can be attacked. Think of it like low-hanging fruit on a tree. We want to be the fruit at the top of the tree so that the majority of attacks won’t waste their time on us.