Cybersecurity

Read the following document or download and print the PDF attached

You should follow these steps at least once a month to make sure you keep your data secure

Download Cybersecurity Workflow

The 7 Steps Necessary to Achieve 99.9% Cybersecurity in Your Practice

ACHIEVING 99.9% CYBERSECURITY IS NOT AS COMPLICATED AS YOU THINK IT IS

  1. Dedicate one hour each month on security (You can delegate these tasks)
  2. Install a reputable antivirus program:
    • If you are a small practice:  Install Windows Defender – no charge
    • If you are a large practice/network:  Install Avast, Norton, or McAfee
  3. Ensure that the antivirus program automatically scans every machine, every day
  4. Manually update your antivirus program, and all other programs and apps, every 2-3 weeks
  5. If patients access your WIFI, you must use a “Guest Network”
  6. Ensure that all employees are educated regarding your cybersecurity protocols
  7. Take action against the vulnerabilities of Web-based PT EMR

Two Ways to Install Windows Defender Antivirus on Your Computer

ALL WINDOWS COMPUTERS THAT ACCESS YOUR PHI MUST HAVE ANTIVIRUS SOFTWARE

Type “Windows Defender” into your search bar

  • Click the “Windows Defender’” icon
  • If Windows Defender is already installed, you will see a message that says “Your device is being protected”
  • Otherwise, follow the prompts to install Windows Defender

or

Google “Windows Defender”

  • Click the link with Microsoft’s address
  • Follow the prompts to install Windows Defender

How to Update Your Windows Computer

ALL WINDOWS COMPUTERS THAT ACCESS YOUR PHI MUST BE MANUALLY UPDATED AT LEAST ONCE EACH MONTHpreferably twice

Do not assume that your antivirus program will “auto-update”

If malware is in your computer, it will “turn off” your antivirus’ auto-update feature, leaving you completely vulnerable

Windows 7

  1. Click the Start button, type “Update” into the search box, and then, in the list of results, click Windows Update
  2. In the details pane, click Check for Updates, and then wait while Windows looks for the latest updates for your computer
  3. If you see a message stating that important or optional updates are available, or telling you to review important or optional updates, click the message to view the updates to install
  4. In the list, select the check box for all important updates, click OK, and then click Install Updates

Windows 8

  1. Swipe in from the right edge of the screen, and then tap Search. Or, if you are using a mouse, point to the lower-right corner of the screen, and then click Search
  2. In the search box, type “Windows Update” and then tap or click Windows Update
  3. In the details pane, click Check for Updates, and then wait while Windows looks for the latest updates for your computer
  4. If you see a message telling you that important or optional updates are available, or telling you to review important or optional updates, click the message to view the updates to install
  5. In the list, select the check box for ALL important updates, click OK, and then click Install Updates

Windows 10

  1. Click the Start button, and then go to Settings > Update & Security > Windows Update
  2. Click Check for Updates, follow the prompts

How to Update the Programs and Apps on Your Windows Computer

MANUALLY UPDATE ALL PROGRAMS AND APPS ON YOUR COMPUTER ONCE EVERY MONTH preferably twice

Web browsers, music services, streaming video apps, and graphics programs ARE ALL VULNERABLE TO BEING INDIVIDUALLY HACKED. 

  1. Navigate to www.Ninite.com
  2. Note the image, below
    1. Click the box for every program or app on your computer
    2. It is particularly important to update ‘”Web Browsers” and “Runtimes”
  3. Click the blue box, “Get your Ninite”

The Necessity for a Guest Network

UNDER NO CIRCUMSTANCES SHOULD YOU PROVIDE ANY NON-EMPLOYEE

WITH THE PASSWORD TO THE WIRELESS NETWORK USED BY THERAPISTS

BE AWARE:  It’s guaranteed that some patients’ laptops, tablets, or phones will contain malware.  Malware spreads to other computers on the same wireless network.

AS SUCH, IF YOU PROVIDE WIFI TO PATIENTS, THEY MUST USE A SEPARATE GUEST NETWORK

The “Guest Network”

  • This network must be encrypted and password protected
  • Of course, the password must be different than the password for the separate EMR wireless network

Set This Up Once and You’re Done

  • If you don’t know how to do it, research your router’s instructions or hire an I.T. Tech
  • Using a guest network, patients interact outside of your main network – outside of your firewall. Your data is not vulnerable.
  • Your router will automatically prioritize your therapists’ bandwidth and speed and will deliver bandwidth to the guest network on a secondary basis

Recommended Internet Conduct Protocol for Your Practice

ALL STAFF, FULL AND PART TIME, MUST BE TRAINED ON YOUR INTERNET CONDUCT PROTOCOL

1. Your practice must have a policy for internet conduct for all employees in your practice

  • Employees must be trained on which attachments they are and are not allowed to click
    • Rule: If the email is not “obviously genuine,” ask questions before clicking on any link
    • “Expect malware from high-profile sources such as the APTA, payers, etc.” (Hackers know that you trust these names)
    • Avoid navigating through Google – Hackers hide on the list and lead you to a dangerous website
    • Avoid links wherever possible – Type the website address into the browser
    • Be especially leery of “shortened” links – You have no idea if that is authentic or not
      • Example: “Click this link to navigate to AETNA’s portal: XYGS001” ß You don’t know where this goes
  • Employees must understand what they are and are not allowed to download
    • Rule: If it doesn’t relate to treating patients, don’t download it
  • Employees must understand that their EMR password must be different than all other passwords that they use
  1. Every computer in the practice must have up-to-date antivirus software that automatically scans on a regular basis
  • Employees must understand what to do if a threat is detected vs. simply clicking, “remove threat?”
    • i.e., they should notify the practice owner before clicking anything

3. You must be compliant with points 1 and 2 with any home computer that employees may use to access your PHI

4. Home computers that access your PHI cannot be used by other family members (their security compliance is beyond your control)

5. You must ensure that any employees who have left your practice can no longer access your PHI

  • Ensure that their logins have been properly deactivated

6. Each employee must sign an agreement acknowledging receipt, understanding, and compliance with and of your HIPAA and technology policies

  • Remember to cover this with all new employees as well

The Danger of Web-Based PT EMR and Unauthorized Access

TAKE ACTION AGAINST THE VULNERABILITIES OF WEB-BASED PT EMR

Some Web-Based PT EMRs Advertise: 

“Anywhere, anytime, system access from any internet-enabled device” or

“Any user can access your PHI from any computer, anywhere”

Translation:              

Any of your employees can access your PHI from any computer, anywhere, any time, with or without permission  

This Is the Definition of “Unauthorized Access”

According to The Department of Health and Human Services, unauthorized PHI access/disclosure has increased in frequency 809% since 2010 and is the #1 most frequent cause of HIPAA Breaches in 2017.

How Systems 4PT Solved This Problem

Systems 4PT practices access their PHI from an icon on the computer desktop.  The practice owner determines which computers have this access.  Without this “key to your PHI,” employees have no access and you are protected from the #1 cause of HIPPA violations

Unauthorized Access/Disclosure is the most frequent cause of HIPAA violations  year to date in 2017

Be leery of EMR software that claims that they are HIPAA compliant, but puts your practice at risk of unauthorized access every day

How Unauthorized Access Dramatically Increases the Risk of a PHI Data Breach

UNDERSTAND WHY WEB BASED PT EMR IS ESPECIALLY VULNERABLE TO MALWARE

With Systems 4PT’s Cloud-Based PT EMR:

  • No PHI data is transferred
  • An image of your PHI is sent to your computer
  • You edit your PHI (which resides in the data center) remotely

With Systems 4PT, Your PHI is NEVER on Your Computer

The PHI is in the data center, you edit the PHI remotely

With Web Based PT EMR:

  • The PHI is sent, from the data center, over the internet to your computer
  • The unencrypted PHI is loaded into your computer – Your ONLY DEFENSE is keeping the computer compliant and updated
  • If your Web-based PT EMR allows unauthorized access from “any internet-enabled devise” there is no way to ensure that the “internet-enabled device” is compliant

a) The unauthorized access/disclosure was itself a HIPAA violation

b) This approach leaves the practice incredibly vulnerable to data breaches.  You should not accept this level of risk

This is why unauthorized access on a non-compliant computer is so dangerous