Medical and Allied Health clinics are favoured targets of hackers looking to get access to the records of your patients, and to use your details to get an ‘in’ to other medical practices, hospitals or government organisations.
Every business is vulnerable to determined hackers, but there are simple things you can do that will reduce the risk of your clinic being hacked through the implementation of good IT Security practices.
Never put random USBs into any computer on your network
One of the oldest tricks in the book is for a hacker to leave a malware filled USB laying around in an office or staff carpark. Staff are naturally trusting and curious, and want to return the USB to its rightful owner, so they -pop the USB into their computer to see if they can work out whose it is.
As soon as the USB is plugged in, it runs the script to either encrypt all the records on the system, or it installs silent malware that sends all the records to the hackers. By the time you realise what is happening and attempt to rip out the USB, the damage is already done. That is if you realise at all.
But what if you scan the USB using your anti-virus program thinking that will protect you?
The problem is that many infected USBs have auto-run programs that start before the scan takes place. Also, even the best anti-virus program can’t defend against all new strains of viruses, so may miss the infected files.
If you find a random USB in your clinic, the best solution is to treat it like any other lost and found object (with a few extra precautions). Put it in a sealed envelope with clear instructions on the outside about when and where it was found, and NOT to plug it in and store it in a locked cabinet. If no one claims it within a reasonable time, then throw it away.
It is also important to never agree to print or open a document on a USB from someone visiting the practice, whether a visiting Medical Officer or Patient. You cannot be sure the USB is clean.
Improve your Employee Exit Processes
Disgruntled ex-employees are a risk to your organisation. When people leave your clinic, their access to your systems needs to be removed the same day that they leave. This means passwords need to be changed and any remote access rights removed.
Improve your Email Security
Many hackers gain access via simple email files. Never run files with .exe in the name. Also, unless you are expecting a particular attachment from a person, never open a .doc, .pdf or .zip file and NEVER agree to enable a macro from an email you have opened. Hackers have found ways to embed nasties in everything from standard Word documents, through to PDFs and zip files, so treat all email attachments with suspicion.
Keep your software updated
Hackers often target out of date software and browsers. Old versions of Flash, Microsoft products, Chrome, Firefox and Internet Explorer all have vulnerabilities. Always run the updates on your products to ensure you are running the latest versions. These ongoing updates are paramount to a good IT Security strategy.
Keep your website updated
Most clinics have a website. Many of the hacks come from websites that are running outdated plugins or operating systems. At least once a week, check your clinic website for updates. If you are not sure how to do this, find a website maintenance company that will maintain your site for you.
Run a solid firewall and anti-virus program
Cheap or free anti-virus programs can be ineffective or in some cases breach your patient and practice privacy . You need to invest in a firewall and anti-virus program that is proven effective in any IT Security regimen, and run regular scans on your system.
Use a password management system
Hands up if your clinic has passwords on sticky labels or notes stuck to your monitor, keyboard or in a desk drawer? That’s like leaving a key under the front door mat.
There are free and paid password management systems to keep your passwords safe and protected. They are easy to set up and use and help your clinic enforce strong passwords across your team.
Use two factor authentication where possible
If a website offers two factor authentication (email address and a text for example), then always enable it to help protect you and your clinic’s information.
Separate your WiFi Networks
If your clinic offers free WiFi to patients, ensure you have a totally separate WiFi network for your clinic. Never have patients on the same network as your clinic WiFi. You can also separate your Visiting Medical Officers from your practice network so they have more access than a patient but cannot access your practice data.
Train your staff
Regular training on IT security is as vital as training on infection control. Your employees are your weakest link. They will click links, open files and give out details without thinking or meaning to. Schedule in regular training across all members in the clinic to reinforce your acceptable computer policies.
Of course, if the unthinkable should happen, then a good back-up is your best friend. It won’t stop your patients from having their identity stolen, (once their data is accessed by hackers, that horse would have already bolted), but it will at least have your clinic quickly operational again.