Cyber Security Do’s and Don’ts

DO

  • Perform regular Security Risk Assessments.
  • Apply all patches (updates) to the software on your computer and used by your network. Automate the process to the extent you can and use Secunia, AppFresh, etc. to see what additional software needs updating.
  • If your office is using software old enough that it is no longer supported (updated) by its manufacturer, replace it with newer software that is supported.
  • Use integrated security software (firewall, anti-virus, IDS, etc.).
  • Control who has access to what and strictly limit who has administrative privileges.
  • Use strong passwords and change them regularly.
  • Enable screensaver passwords on your computer (and set them to engage relatively quickly).
  • Change all default settings (user IDs & passwords) immediately on computers, servers, routers, point-of-sale devices and any other tool or device connected to your network.
  • Log out of all online services when not using them.
  • Use file-based encryption to safeguard all PHI (and other sensitive information) on your network – remember, if encrypted PHI is lost or stolen, it’s not considered a data breach under HIPAA/HITECH.
  • Enable full disk encryption on every hard drive (especially in laptops), mobile device, storage device (i.e., USB drives) and backup media.
  • Store your encryption keys securely (and not in the same place as the data it can decrypt).
  • Have multi-tiered, off-site, encrypted backups.
  • Keep your office’s servers under lock and key, literally.
  • Use WPA (with the Advanced Encryption Standard) or WPA2 encryption for your office’s wireless network.
  • Prepare any smartphone connected to your network to be stolen.
  • Enable phone tracking and remote wiping.
  • Back up your mobile data on a computer or in the cloud (iCloud, etc.).
  • When an employee is terminated, disable his or her network (user ID and password) and building access immediately.
  • Securely dispose of anything potentially holding office or patient data.
  • Have an incident response procedure (IRP) in place well before it might be needed.

DON’T

  • Have a file called “Passwords” anywhere on your computer or office network.
  • Use the same password over and over – if it gets cracked once, every other account with that password becomes vulnerable.
  • Keep a post-it note with your password somewhere obvious (under the keyboard, top right side drawer in your desk, etc.).
  • E-mail any passwords – an intruder can search your e-mail and find them.
  • Give your password to anyone else (including co-workers). If you ever do, change it immediately afterwards.
  • Use WEP encryption for your wireless network – it was compromised years ago.
  • Use unsecured (i.e., no password needed) wireless access to send or receive any PHI, financial or other sensitive data.
  • Enter credit card, financial or login information without seeing “HTTPS” in your browser’s address bar (i.e., make sure the site is encrypted).
  • Use cloud services without first making a reasonable inquiry into the state of their security.
  • Assume using Apple computers inherently means you can ignore malware (it doesn’t).
  • Download any software (including programs, updates and mobile apps) unless you know and trust the source.
  • Forget to document your office’s risk management, training and security efforts.