Protecting Patient Data
Cybersecurity Tips for Your Practice
By Scott Morris
Vice President, Chief Information Security Officer
BlueCross BlueShield of Western New York
To: All Providers
Cybersecurity is no longer an emerging concern, but a new reality within the health care industry.
During this time of uncertainty, your information could be at risk by scammers sending false emails and phone calls/texts about COVID-19. You should be extra cautious with anything related to COVID-19, including emails, attachments, any social media, or texts/calls to your phone. With threats on the rise, every practice and facility should have cybersecurity measures in place and know key risks.
As Chief Information Security Officer at BlueCross BlueShield, I’ve seen an increase in the level of sophistication around security threats in our industry. It’s more important than ever to address those threats with strong measures.
For Staff Working Remotely
- Have a secure home Wi-Fi connection
- Store laptops and any other necessary materials in a secure location when not working
- Prevent others (friends and family members) from gaining access to devices; use passwords on personal and work devices
- Log off or lock workstations when unattended
Additional best practices to protect patient data include:
Create and Maintain Strong Passwords
Strong passwords are your first line of defense against data breaches. Passwords should have at least two of the following:
- Length – Passphrases, password longer than 16 characters
- Complex – Upper and lowercase letters, numbers, special characters
- Unique – Don’t reuse passwords
- Private – Never share passwords
- Original – Never be based on personal information
We recommend you visit haveIbeenpwned.com to check whether any of your accounts have been compromised.
Utilize Multi-Factor Authentication
Multi-factor authentication adds an extra security layer on top of passwords, requiring users to enter a code from a text or smartphone app. If passwords are compromised, hackers will not get past this checkpoint.
Perform Software and System Updates
Regularly updating your operating systems and applications (also known as “patching”) will help fix security flaws and eliminate threats. Routine patch management should be a priority in your office.
Recognize and Avoid Phishing Scams
Phishing is the practice of sending fraudulent emails designed to obtain private information such as usernames and passwords. Alternate forms of phishing can include “vishing” (voice phishing through phone calls) and “smishing” (phishing through SMS text messages). Errors and misspellings in email messages are often a sign of phishing. Also, if you’re not sure about an email source, it’s best not to click on it. Your office can run phishing drills and utilize a “suspicious email” button within your email application.
We recommend knowbe4.com for more information and phishing training materials.
Establish a Cybersecurity Culture
Make cybersecurity a key component of your practice’s culture and habits. Everyone should know their role in protecting patient data. Regular training and phishing drills can go a long way toward maintaining cybersecurity in your office. For more information about cybersecurity from the American Medical Association, click on the link below.
If any of your office staff has transitioned to remote workplaces, they must remember the best practices listed above.
Working with Us
We want to hear from you! Have a topic request for the next Blue Bulletin? Email us
Stay in Touch! Sign up to receive emails for provider news and information