The Cure for Uneducated Users is Training
By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting
Universal Precautions (ALWAYS putting on protective gloves, masks, and protective clothing) for healthcare providers became necessary when it was realized that contact with a patient’s bodily fluids could result in the caregiver’s death. In today’s world of hacking and data theft, Technology Universal Precautions are required because something as simple as clicking on a link in an e‑mail message can have catastrophic results. If your HIPAA training includes Technology Universal Precautions you can reduce your chances of becoming a victim.
The cure for uneducated users is training and ongoing reminders so they remain vigilant against threats. Your workforce should be trained in Technology Universal Precautions until— like nurses and doctors putting on gloves— everyone develops ‘muscle memory’ to the point where they are always on-guard against threats. Users should be trained to recognize bad IT practices, avoid becoming a victim, and report suspicious activity.
Medical records often contain Social Security Numbers, making them a prime target for money-hungry hackers. Recent attacks have also resulted in unauthorized bank transfers, unauthorized access to data, and the malicious encryption of data both on local systems AND the server drives they are linked to.
Getting healthcare workers to adopt Universal Precautions required training, took time, and was inconvenient, but the risks were high enough and regulations tough enough to make people change their behavior.Technology Universal Precautions face the same challenges healthcare providers dealt with when the risks associated with bodily fluids were first identified. The same logic should be applied to protecting patient data, because your risks are in the millions of dollars if you don’t use Technology Universal Precautions.
CryptoLocker Kidnaps Data
CryptoLocker is malware that encrypts your data and then sends you a ransom note demanding payment. The ransom must be paid within a short window of time to begin the unencryption process. If the time expires or you try to decrypt the files yourself then the encryption keys are destroyed, meaning you will never access your data. One healthcare provider got more than CryptoLocker. They had 27.800 medical records stolen and the ransom demanded was more than $ 10,000.
According to bleepingcomputer.com, the CryptoLocker infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
Technology Universal Precautions for Computers
Protect all of your servers, desktop computers, and laptops. Ensure that they are all up to date with Windows patches and updates, and have anti-virus software that is properly installed, working properly, and fully updated. Automatic settings must lock users out after just minutes of inactivity to protect data from unauthorized access. The best way to protect data on desktop and laptop computers is to not have it there. Instead, store data on secure servers and use remote tools and networks for access. If data must be stored locally then Technology Universal Precautions mean the device would be encrypted. The HIPAA data breach law exempts encrypted data from being reported as lost or stolen.
Technology Universal Precautions for your Network
Configure PC’s and laptops to automatically store all data on a centralized server. Make sure the server is backed up frequently with the backups stored offsite. If you are hit with CryptoLocker, being able to recover your last backup may let you avoid paying the ransom.
You need a business-class network firewall for your Internet connection. A consumer router that came from your Internet provider does not have the protection features required to secure patient data. Your server needs to log user access and HIPAA requires the logs be kept for six years. Protecting data requires experienced IT professionals, not doctors or family members installing consumer-grade equipment that does not provide data protection.
Technology Universal Precautions for your Workforce
Training is your best weapon against those who want to attack you. Your well-meaning staff is your greatest risk if they are not educated well enough to protect your data. Something as simple as clicking on an e-mail message, plugging in a thumb drive they found in a hallway or brought from home, or giving their password to someone posing as a helpdesk technician could cost you millions.
Your workforce should be able to instantly identify phishing e-mails that look like official messages but carry a payload that can cause an instant catastrophe. Clicking on a link in a phony e-mail from the IRS, a bank, or a business could silently install dangerous malware. One of our clients clicked on a link in a phony IRS e-mail and almost lost over $ 200,000 when their bank account was compromised. Clicking on a malicious pop-up saying your computer is infected and needs to be checked only takes seconds but can cause hours of downtime. Teaching Technology Universal Precautions can reduce your risks.
Technology Universal Precautions include keeping passwords secret. It should go without saying that shared logins (like ‘Nurse’) put data at risk and also violate HIPAA’s requirements for Unique User Identification and Audit Logs. Same with nurse’s logging in as doctors to add notes to a patient’s record.
There is never a need for anyone to ever know your password. Users should be instructed to never give their password to a co-worker or to someone posing as a helpdesk technician over the phone.
Technology Universal Precautions apply to portable devices like smartphones that sync e-mail, and portable digital recorders used for dictating exam notes. These must be properly managed to secure patient information.
An easy way to compromise a network is to leave an infected thumb drive in a parking lot or hallway. The person who finds it will likely plug it in to see if they can figure out who owns it, or to use it for themselves, bypassing the protection of your firewall and infecting your network. If a worker finds a thumb drive they should just give it to the IT department to be checked on a system not connected to the network.
Remember to include your Business Associates when protecting patient information. Your answering service, IT provider, and copier technician are just a few vendors that may have access to patient data and must train their workers.
Many organizations look at HIPAA training as something to get done quickly just to meet the requirement for workforce training. Training videos and written quizzes take just minutes and let you say you are compliant, but are usually not effective in really protecting your organization.
Your HIPAA workforce training should not make your employees experts on HIPAA, but should focus on the behavior your employees must follow – keep patient information confidential, don’t snoop in records of patients whose treatment or billing is not your job, and be aware of computer threats that can cause a data breach.
This article was originally published on 4Medapproved and is republished here with permission.