Cybersecurity Tips for NPs: Staying Safe Online

Are you stuck between a rock and a hard place, scrambling to keep your Nurse Practitioner practice open?

It’s one thing if you’re struggling for reasons under your control. However, if you’re fighting to keep your doors open for reasons outside your control, that’s a different story.

An example is the fallout from the recent cyberattack against Change Healthcare. While outside their control, the attack affects all types of providers, including Nurse Practitioners.

Unfortunately, many face running out of cash and potentially having to shut their doors before regular reimbursement resumes.

One wonders how a small practice can protect itself against a cyberattack when the big players cannot.

No Guarantees

As much as I would like to say that if you do X, Y, and Z, you’ll never have to deal with an attack, there are no guarantees.

However, you can take steps to protect against attacks and lessen the impact on your office in case of an attack.

But first, let’s address a common misconception.

Most people and small offices assume they would never be a target. Why would anyone bother? After all, there aren’t huge sums of money someone could extort, so what would be the point? As ridiculous as it sounds, attackers may target anyone because… they can—if for no other reason than for the fun of it!

What Steps can you take to Protect Yourself?

Let’s start with the simple and easy-to-do things you can do.

Regular Software Updates:

Keep all software and systems up to date with the latest security patches to protect against known vulnerabilities.

For example, if your practice website runs on WordPress, install updates to software and plugins when available. It’s best to install updates as soon as possible.

Alternatively, check for updates and install them on a regular schedule. Outdated software makes it easy for crooks to enter computer systems and cause damage.

Firewall, Antivirus, and Security Software:

Install and maintain up-to-date firewall, antivirus, and security software to protect against malware and unauthorized access. Run available security scans regularly.

Today, most computer systems come pre-installed with the software. All you have to do is use it and keep it up-to-date.

Data Encryption:

Most of the software used in your practice will employ encryption to protect sensitive data in transit and at rest to protect it from unauthorized access.

Don’t let anyone bypass encrypted transmission by sending protected data via plain email or other means.

Access Control:

Depending on the size of the practice, it’s essential to implement access control measures to ensure that only authorized personnel have access to sensitive information.

Most software programs allow various levels of access control, including read-only, read-write, admin, or owner. Keep track of who has what level of access, review periodically, and remove access after an employee leaves.

Additionally, you could limit physical access to computers and software. For example, you could restrict access to the computer used for billing to the biller alone.

Strong Password Policies:

This is non-negotiable.

You must implement strong password policies in your office, including regularly changing passwords and using complex, safer passwords.

Invest in a business password manager for your office to accomplish this task. It will help keep everyone on the same page and your systems safer.

A business-level password manager provides additional controls over access to software and systems.

Popular password managers include LastPass, RoboForm, 1Password, and many others. Here is a comparison of business-level password managers from PCMagazine for your review.

If you don’t do anything else after reading this article, please use a password manager for your business and personal life.

Regular Security Assessments:

Conduct regular assessments of how data security is handled in your practice, including using passwords, software updates, and access to systems. Use the assessments to help identify and mitigate potential vulnerabilities.

Employee Training:

Provide regular training for your staff on the best practices for cybersecurity, including recognizing phishing emails and safe internet usage.

Train new employees on your office’s practices immediately so that everyone adheres to the same rules, regulations, and practices.

Data Backup:

Regularly back up all critical data and ensure that backups are stored securely and are easily retrievable in case of data loss.

While many software programs provide continuous backup, you still want to ensure that a routine, secure data backup is ongoing.

Some prefer manual redundant backups, while others use secure backups to the cloud.

Whatever approach you choose, be sure you remain HIPAA-compliant and that your data is secure.

Financial Cushion:

To prepare for potential disruptions in reimbursements, set aside money so your practice can stay afloat.

Decide today to save a certain percentage of your revenue in an interest-bearing account you can access in a flash.

Additionally, you may want to establish a line of business credit with your bank to be prepared for whatever life may throw at your practice.

No matter the approach, the objective is to build up cash reserves, which you can tap into if necessary.

You’ve Been Hacked. Now What?

In the event of an attack, what should you do?

Not all attacks are created equal. However, time is always of the essence…

Contain the Attack:

As soon as noticed, isolate the affected systems to prevent further damage. For example, if you suspect a virus, stop using the computer until the virus has been removed and the depth of damage can be assessed. Use your backups to restore the data if it has been corrupted.

Notify Authorities:

If you suspect or know your business was attacked, notify the appropriate authorities, including law enforcement and regulatory bodies, as required by law.

Be prepared to provide as much information as possible about the crime, including the date and time, the nature of the incident, and any evidence you may have gathered.

Notify Affected Individuals:

If there has been a data breach, inform patients and other affected parties about the breach and take necessary steps to mitigate any potential harm.

People have a right to know if their data may have been compromised and how. Also, let people know what you have done about it and what they can expect from you in the future.

Conduct a Post-Incident Security Review:

Conduct a thorough review of what happened to understand how the attack occurred and how to prevent future attacks.

Identify breakdowns in security protocols on your part or the part of your employees and take steps to correct them.  

Review and Update Security Policies:

Review and update your security policies and procedures based on lessons learned from the incident, including access controls and how customer data is routinely handled.

In Conclusion…

Anyone may be a target of cybercrime, whether individuals, small businesses, or large corporations.

It can happen to anyone at any time.

That’s why it’s essential to take steps to reduce the chances of getting attacked and to be prepared in case it happens.

Be safe…

Leave a Reply


Your email address will not be published. Required fields are marked

This site uses Akismet to reduce spam. Learn how your comment data is processed.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}