National Cybersecurity Awareness Month, observed each October, promotes heightened awareness of the importance of computer security issues. This year’s theme is “Own IT. Secure IT. Protect IT.”
The first — Own IT — refers to taking responsibility for security. While much of the focus of the messaging is on individual security, there are some timely reminders for business environments as well. This is especially true for our FIT Solutions customers who use mobile tablets to access EHR and other clinical systems.
Your internal network contains protected health information, and for HIPAA compliance, you must be absolutely sure that any connected devices are secure. Here are the best practices we recommend:
- Secure Your Wi-Fi.
This is vital for LTPAC environments. Offering Wi-Fi to patients and their guests is a standard business practice, and is essentially an expectation. Keep the guest Wi-Fi on a network that is separate from the clinical network, and establish a firm policy to prohibit your staff from sharing the clinical network password with patients or guests. Business-class Wi-Fi access points allow you to set up separate networks and prevent cross-traffic between them. If your staff brings their own smartphones to work, only allow them to access the guest network. You might offer them a third and separate network that allows some access, but still prevents their devices from accessing clinical data. Given the possibility of an unsecured device leading to a breach of patient data, you simply must allow only devices that you can directly control and secure to access medical records.
- Require Endpoint Security Software.
Any device that connects to your network is an endpoint with access to your network’s data. PCs are no longer the only vulnerable point; Android devices are especially susceptible, and criminals are increasingly targeting tablets running iOS. Make anti-malware software part of the standard configuration, and set it to trigger regular updates.
- Fortify Your Logins.
A tablet or other device that has access to medical data must be locked with a passphrase to prevent unauthorized use by visitors who might pick it up. In addition to a strong password policy, the best practice is to enable multi-factor authentication for any access to the clinical network. These measures protect you against unauthorized use of the device as well as against criminals guessing passwords or using stolen credentials to gain access. In addition, hide the SSID so you’re not broadcasting the name of the clinical network.
- Mandate VPN Use.
Mobile devices can be susceptible to eavesdropping. Take advantage of the strong encryption offered by a VPN by implementing a VPN for access to the clinical network if the device needs to leave the secure network. Look for one that also supports multi-factor authentication to protect the VPN logins.
- Protect Against Malicious Apps.
One of the biggest mobile-device risks is applications that pose as something useful or fun, but are actually designed to steal data. Establish policies that limit or block the use of third-party software on your clinical devices.
- Develop and Require a Secure Configuration.
Establish a standard, secure configuration for devices that connect to the clinical network. This includes requiring a lock code or password for access, preventing access of other wireless networks, and either hiding the device from Bluetooth discovery or, better still, disabling Bluetooth altogether.
- Enable Remote Lock and Wipe.
Be sure you are able to remotely lock the device to prevent its use if it is ever lost or stolen. Ideally, the devices don’t store any data at all and are only used to access or update the patient records. But if they do hold any data, or as an extra measure of protection, ensure you can wipe the data from the device as well. If the device is found, you can simply re-image it from a backup.
- Conduct Mobile Security Audits.
Hire an outside firm to annually audit your mobile security and perform penetration testing. Testing using the same mobile devices that you use in your environment will uncover potential issues before a criminal discovers them.
We encourage you to use National Cybersecurity Awareness Month to take a serious look at your security and address any shortcomings. If you would like assistance implementing these measures or an evaluation of your HIPAA compliance posture, FIT Solutions is here to help. Call us today at 888-339-5694.