HHS Top 10 Tips for Cybersecurity: #1 Establish a Security Culture
The Department of Health and Human Services (HHS) published as part of their playbook a “Top 10” guide to cybersecurity in health care to help medical practices around the country struggling to keep up with the moving target of security in the modern doctor’s office. My goal with this weekly series will be to walk through this guide with you, giving my take on the topics in the HHS list in an effort to make these tasks less daunting, and to make your practice more secure.
So let’s get started with number 1: Establish a Security Culture.
Modern technology in the medical office (love it or hate it) now allows the near-instant transfer and storage of massive amounts of patient information. This ability allows for doctors to treat patients at multiple locations, or even remotely, armed only with an iPad. With that power, of course, comes the growing threat of that same easy-to-access data being stolen, misused, or held for ransom. Though hackers are the first thing that come to mind, it is more common for smaller breaches to occur due to human error (emailing snafu), theft (laptop in the back of a car), or nosy staff.
Fighting the Culture of “not me”
You probably heard about the large hospital and insurance company breaches this year, with the thousands (or millions!) of patient records being exposed and thought, “There’s no way it would happen to me!” But it can, and it does. With the countless other items on the plates of medical staff, daily things like security can fall by the wayside. Plus all those silly policies just slow down getting work done. Having to log in and out of computers and the EHR? Who has time for that? And all those different passwords, who can remember all of those? Little by little this line of thinking spreads and can lead to bad habits.
Creating the Culture
Here is the chance to set things right. To create a foundation that leads to a culture which prides itself on protecting patient information. There’s nowhere better to establish this than from the top. Managers need to set the example, and the HHS guide says, “resist the temptation to indulge in exceptionalism.” Consistent education, and engaging training, can be used to teach security habits everyone will follow. Making patient data security a core value for your practice helps to instill accountability in your staff, showing that everyone is responsible.
Where to Start?
Education is key to eliminating the “not me” culture, and helps combat the anxiety of terms like “cybersecurity” that can overwhelm self-described non-techies in your staff. With self-paced training systems, group webinars, and constant (friendly) reminders, Untangled Solutions helps medical staff protect their patients with security practices that HHS describes “as second nature to the health care organization as sanitary practices.”
If you feel your office is in need of help to create a security culture please reach out to us by email or give us a call.
You can also try our free HIPAA Risk Level self-evaluation that takes about 15 minutes.
Come back next week for a review of tip number 2 from HHS on the subject of protecting mobile devices.