Top 10 Tips for Cybersecurity in Health Care
While the tips were developed to help small health care practices apply cybersecurity and risk management principles, they are applicable to any type of organization.
Adoption of the tips is not a guarantee of compliance with federal or state law but can help organizations work toward the goal of having appropriate cybersecurity protections in place.
For a more detailed version of the tips, read the full Top 10 Tips for Cybersecurity in Health Care document [PDF - 518 KB]. For information about good security and risk management practices, see the Guide to Privacy and Security of Health Information.
1. Establish a Security Culture
- Build a security-minded organizational culture so that good habits and practices become automatic.
- Conduct information security education and training frequently, in an ongoing fashion.
- If you are a manager or other leader in your organization, set a good example in attitude and action.
- Instill taking responsibility for information security as one of your organization’s core values.
2. Protect Mobile Devices
- Ensure your mobile devices are equipped with strong authentication and access controls.
- Ensure laptops have password protection (see examples in Tip 8).
- Enable password protection on handheld devices (if available). Take extra physical control precautions over the device if password protection is not provided.
- Protect wireless transmissions from intrusion (see Tip 9).
- Do not transmit unencrypted Protected Health Information (PHI) across public networks (e.g., Internet, Wi-Fi).
- Where it is absolutely necessary to commit PHI to a mobile device or remove a device from a secure area, encrypt the data.
- Do not use mobile devices that cannot support encryption.
- Develop and enforce policies specifying the circumstances under which devices may be removed from the facility.
- Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device.
3. Maintain Good Computer Habits
- Uninstall any software application that is not essential to running the practice (e.g., games, instant message clients, photo-sharing tools).
- If the purpose of a software application is not obvious, look at the software company’s web site to learn more about the application’s purposes and uses. Also check with the Electronic Health Record (EHR) developer to see if the software is critical to the EHR’s function.
- Do not simply accept defaults or “standard” configurations when installing software.
- Step through each option, understand the choices, and obtain technical assistance where necessary.
- Find out whether the EHR developer maintains an open connection to the installed software (a “back door”) in order to provide updates and support.
- If so, ensure a secure connection at the firewall and request that this access be disabled when not in use.
- Disable remote file sharing and remote printing within the operating system (e.g., Windows Operating System).
- Automate software updates to occur weekly (e.g., use Microsoft Windows Automatic Update).
- Monitor for critical and urgent patches and updates that require immediate attention, and act upon them as soon as possible.
Operating System (OS) Maintenance
- Disable user accounts for former employees quickly and appropriately.
- If an employee is to be involuntarily terminated, close access to the account before the notice of termination is served.
- Prior to disposal, “sanitize” computers and any other devices that have had data stored on them.
- Follow the guidelines for disposal found in the National Institute of Standards and Technology (NIST) Special Publication 800-88 “Guidelines for Media Sanitation.” [PDF - 92 KB]
- Archive old data files for storage if needed, or clean them off the system if not needed, subject to applicable data retention requirements.
- Fully uninstall software that is no longer needed (including “trial” software and old versions of current software).
- Work with your Information Technology (IT) team or other resources to perform malware, vulnerability, configuration, and other security audits on a regular basis.
- Applications/services (e.g., anti-malware and anti-virus programs) can be set up to report or even stop the download of rogue/unapproved software.
- Audits can be conducted using commercial applications and services (e.g., vulnerability and configuration scans).
- Some applications/services can conduct general security audits as well (e.g., other technical, administrative, and physical safeguards).
4. Use a Firewall
- Unless your Electronic Health Record (EHR) is totally disconnected from the Internet, you must install a firewall to protect against intrusions and threats from outside sources.
- Software firewalls are included with some popular operating systems, providing protection at the installation stage.
- Alternatively, separate firewall software is widely available from computer security developers.
- Large practices that use a Local Area Network (LAN) should consider a hardware firewall.
- A hardware firewall sits between the LAN and the Internet, providing centralized management of firewall settings.
- If a hardware firewall is used, it should be configured, monitored, and maintained by a specialist.
5. Install and Maintain Anti-Virus Software
- Use an anti-virus product that provides continuously updated protection against viruses, malware, and other code that can attack your computers through web downloads, CDs, email, and flash drives.
- Keep anti-virus software up to date.
- Most anti-virus software automatically generates reminders about these updates, and many are configurable to allow for automated updating.
6. Plan for the Unexpected
- Create data backups regularly and reliably.
- Begin backing up data from day one of a new system.
- Ensure the data is being captured correctly.
- Ensure the data can be quickly and accurately restored.
- Use an automated backup system, if possible.
- Consider storing the backup far away from the main system.
- Protect backup media with the same type of access controls described in Tips 7 and 10.
- Test backup media regularly for their ability to restore data properly, especially as the backups age.
- Have a sound recovery plan. Know:
- What data was backed up (e.g., databases, pdfs, tiffs, docs)
- When the backups were done (timeframe and frequency)
- Where the backups are stored
- What types of equipment are needed to restore them
- Keep the recovery plan securely at a remote location where someone has responsibility for producing it in the event of an emergency.
7. Control Access to Protected Health Information
- Configure your Electronic Health Record (EHR) system to grant Protected Health Information (PHI) access only to people with a “need to know”.
- This access control system might be part of an operating system (e.g., Windows), or built into a particular application (e.g., an e-prescribing module), or both.
- Manually set file access permissions using an access control list.
- This can only be done by someone with authorized rights to the system.
- Prior to setting these permissions, identify which files should be accessible to which staff members.
- Configure role-based access control as needed.
- In role-based access, a staff member’s role within the practice (e.g., physician, nurse, billing specialist) determines what information may be accessed.
- Assign staff to the correct roles and then set the access permissions for each role correctly, on a need-to-know basis.
8. Use Strong Passwords and Change Them Regularly
- Choose a password that is not easily guessed. Below are some examples of strong password characteristics:
- At least eight characters in length (the longer the better)
- A combination of upper case and lower case letters, one number, and at least one special character, such as a punctuation mark
- Strong passwords should not include personal information such as:
- Birth date
- Names of self, family members, or pets
- Social security number
- Anything that is on your social networking sites or could otherwise be discovered easily by others
Requiring Multi-Factor Authentication
- If you e-prescribe controlled substances, you must use multi-factor authentication for your accounts. Multi-factor authentication combines multiple authentication methods, such as a password plus a fingerprint scan; this results in stronger security protections.
- Configure your systems so that passwords must be changed on a regular basis.
- To discourage staff from writing down their passwords, develop a password reset process to provide quick assistance in case of forgotten passwords. This process could involve:
- Allowing two different staff members to be authorized to reset passwords
- Selecting a product that has built-in password reset capabilities
9. Limit Network Access
- Prohibit staff from installing software without prior approval.
- When a wireless router is used, set it up to operate only in encrypted mode.
- Prohibit casual network access by visitors.
- Check to make sure file sharing, instant messaging, and other peer-to-peer applications have not been installed without explicit review and approval.
10. Control Physical Access
- Limit the chances that devices (e.g., laptops, handhelds, desktops, servers, thumb drives, CDs, backup tapes) may be tampered with, lost, or stolen.
- Document and enforce policies limiting physical access to devices and information:
- Keep machines in locked rooms.
- Manage keys to facilities.
- Restrict removal of devices from a secure area.
The Cybersecurity webpage content is provided for informational purposes only and does not guarantee compliance with federal or state laws. The information and tips presented may not be applicable or appropriate for all health care providers and professionals. We encourage providers, professionals, and organizations to seek expert advice when evaluating these materials. The Cybersecurity webpage content is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. It is also not intended to serve as legal advice or offer recommendations based on a provider’s or professional’s specific circumstances. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.