Cyber attacks continue to be a growing concern for businesses, with the potential to cause financial losses and impact organizational reputation.
Most attacks result from a business and its employees being unprepared or underprepared for a threat. But by following the cyber security best practices for your practice and employees, you can significantly minimize your vulnerability to cyber attacks.
Follow these tips to get your protection up to speed.
1. Develop cyber policy documentation
Create a written cyber policy that is tailored to the needs of your practice. Make sure your policy addresses the particular cyber risks facing your company, documenting the steps for your personnel to take for cyber attack prevention, ongoing threat monitoring and cyber incident response.
2. Educate employees on cyber safety
Make education on cyber safety a key part of your employee training. Go beyond inserting a few bullet points into an employee handbook. Instead, train employees regularly on cyber and data security issues. Consider enlisting the help of third-party best practices seminars, if available.
3. Have a suspicious links procedure
Have a specific policy about opening links from unknown sources. Train employees never to click on a link in an email from a third-party source without first verifying the email is legitimate. Instruct employees to never provide any credentials such as a username or password if prompted by a link in such an instance.
4. Establish a personal device policy
Put a policy in place for employees regarding the use of their personal devices for work purposes. Understand that there is a risk involved in allowing employees to perform work functions on cell phones and personal computers. Think through how your practice will successfully manage the risk of a personal device being stolen that contains confidential patient information and communications.
5. Protect portable company devices
Establish a protocol to protect company-owned laptops, cell phones and other portable devices issued to employees on the go. Know who has each device and that each system has been properly set up to provide only the access required for their role. Set up devices to require strong password protection with multi-factor authentication and install current software and antivirus protection.
6. Require robust password security
Have a policy requiring employees to set and maintain robust passwords for all their work devices and applications. Require employees to immediately change any dummy passwords given at the start of employment (such as “1234”), keep their passwords confidential by never leaving notebooks or sticky notes lying around that could reveal their passwords, and enforce frequent password changes, making sure employees choose strong passwords that meet policy requirements.
7. Turn on MFA
Make sure to enable multi-factor authentication (MFA) to your network and for use of remote devices. Ensure MFA is enabled whenever employees work from home, use company portable devices and use their own personal devices for work purposes under your “bring your own device” (BYOD) policy. Hacker intrusion through remote access portals is high, and any employee working in a system remotely should be required to go through an MFA verification process to confirm their credentials.
8. Ensure software is up to date
Make sure all software is up to date to prevent a hack. Check that all virus, malware and ransomware software that protects your system is up to date. Make sure operating systems and software solutions are also kept up to date on all devices. Turn on automatic updates for security fixes and software patches that protect against new vulnerabilities. Realize that an investment in software on the front end to prevent an attack is often well worth it.
9. Enact firewall and data encryption protection
Enact a combination of firewall and data encryption protection across all your systems. Many cyber incidents in healthcare industries stem from avoidable failures to encrypt sensitive data and protect privileged communications. Make sure you understand what your in-house or third-party IT and data host provider is doing to protect your data and network.
10. Review IT backup procedures
All too often a practice learns that its data has not been properly backed up or that the backup is so closely tied to the server that it too is lost or corrupted in theft and ransomware attacks. Put your IT company to the test before an event to make life much easier if and when an event occurs.
11. Know third-party firm policies
Have a thorough understanding of the policies of third-party companies who store data or who you store data with. Your cyber security protection is only as strong as your weakest link, and it does little good to have strict data and cyber policies if a third-party host is not careful or shares sensitive information with unsafe recipients.
12. Invest in annual penetration testing
Consider allocating resources to conduct annual system penetration testing by a qualified third-party cyber security firm. Look into forensic IT companies who offer services where your company network and email systems can be tested to highlight vulnerabilities and recommend solutions to improve cyber safety.
13. Obtain Cyber insurance protection
Understand that there is still a risk a cyber attack may occur even when you’ve taken all the right steps to protect your practice. Make sure you obtain cyber insurance protection to ensure your practice survives the hack and bounces back.
Support from Lockton Affinity
Cybersecurity isn’t just a one-time investment; it’s an ongoing commitment to safeguarding your practice, your patients and your peace of mind.
Secure your future today by purchasing Cyber Liability insurance through the AOA Insurance Program, administered by Lockton Affinity, and gain access to industry-leading incident response services and tools to help you mitigate threats and recover with confidence.
