4 easy ways to keep your medical practice cyber safe during Cybersecurity Awareness Month

As medical professionals, your day-to-day jobs involve handling a wealth of sensitive patient data. October is Cybersecurity Awareness Month, providing a reminder that it’s vital to ensure the safety and security of this data within your practice. 

In this article, we'll cover 4 easy ways that doctors and healthcare professionals can keep their medical practice protected during Cybersecurity Awareness Month.

Keeping your software up-to-date is critical to the success of your medical clinic. Pop-up reminders to update to the latest version of your software can be annoying, but not as annoying as violating HIPAA and losing the trust of your patients or clients because you failed to do so and got hacked. (Unless stated otherwise, the business associate agreement between you and your software likely clarifies that you are responsible for protecting patient information.)

Installing software updates when they become available is part of protecting data, as new security patches fix known issues to reduce the chance that hackers will be able to exploit vulnerabilities.

Updates can also indicate that your software has a secure development lifecycle and is dedicated to looking for known weaknesses and development vulnerabilities, as Jesse Salmon, information security manager at Tebra. 

“We need to make sure our vendors are looking for weaknesses proactively in their own software,” Salmon said.

Updates keep your systems running smoothly and efficiently. Set updates to install automatically to stay on top of them.

Long, unique, and random passwords are a step in cybersecurity that anyone can implement. But passwords that are complex enough to be secure can also be a challenge to create and remember.

Using the same password for multiple accounts is often tempting, but it’s also a security risk since a hacker who gains access to one password can then use it to access multiple accounts.

That’s where a password manager comes in.

“Use password managers to generate and remember different, complex passwords for each of your accounts. A password manager will encrypt passwords securing them for you,” the Cybersecurity and Infrastructure Security Agency (CISA) advises for Cybersecurity Awareness Month.

A password manager stores passwords in a centralized, encrypted vault behind a master password. One concern with using a password manager can be the opportunity for it to become a single point of failure: if someone gains unauthorized access to the vault, then they can potentially access all the passwords in it.

On the other hand, the same is true of using a variation on the same few passwords for everything, or storage methods like a Post-It in a drawer (not recommended) or an untitled document saved to the desktop or cloud (definitely not recommended).

Unlike those and similar methods, a password manager is encrypted and, like the passwords it contains, can be secured further with multi-factor authentication.

“Passwords are no longer enough. One of the most important defensive measures you can take is beefing up your cybersecurity with multi-factor authentication,” Salmon said.

Multi-factor authentication is a security strategy that requires two or more pieces of proof before you can access data or a system. Salmon notes that proof can include something you know, like a password, PIN, or knowledge-based authentication; something you have, like a key fob or mobile device; or something you are, like a fingerprint, face scan, or retinal scan.

Using two (or more) types of proof is more secure than using only one. A password along with an answer to a security question is better than just a password, but a password along with a code from an authenticator app on your mobile device is even more secure.

Enabling multi-factor authentication adds an extra layer of security to your account, making it much more difficult for hackers to gain access.

Email is the main way we communicate with customers and teams, which makes a business email compromise one of the most financially damaging online crimes.

Plus addressing, an email practice where you can create receive-only email address extensions that look like [email protected], can be a way to limit and sort incoming email sent to your main address. For instance, if you want to use a subaddress with your social media accounts, a plus address might look like [email protected].

Plus addressing can be part of verifying that an email from a customer, partner, vendor, or external account is legitimate. For instance, if you know a legitimate email related to a social media account will be delivered to [email protected], and an email allegedly related to a social media account is delivered to your main address, you know to investigate.

“Adapt a new mindset, and it’s trust but verify,” Salmon says. “It’s important that we confirm who we’re speaking with.”

He recommends hovering over links to see if they match the link you expect, treating urgent requests with suspicion, and contacting the sender directly to learn more.

“If you’re not expecting it, don’t click it.”

Cybersecurity can be very complex, but its best practices don’t have to be. Keep your software up to date, make it easy to remember complex and unique passwords by using a password manager, turn on multi-factor authentication because passwords are no longer enough, and get into the habit of thinking before you click.