Good internet security practices are essential for any healthcare provider if they wish to limit their exposure to the threat of data breaches. At Advanced Billing and Consulting Services, we are serious about internet security for ourselves and our clients. It has become increasingly common to hear news reports about data breaches in online security for a variety of organizations. We here at ABCS RCM are aware of this growing danger, and take the appropriate precautions to ensure that our clients do not become victims of an online security breach.
For example, Anthem which is one of the largest health insurance company in the United States, suffered a data breach and exposed about 79 million people’s personal information to malicious hackers. The Indianapolis-based insurance provider has agreed to settle litigation over this hacking incident which occurred in 2015. Anthem will pay over $115 million, which is the largest settlement ever for a data security breach. The $115 million settlement will be used to pay for two years of credit monitoring for people affected by the security breach. In recent years, there have been other high-profile data security breaches. Minnesota-based Target Corporation settled claims and paid $18.5 million in May of 2017. In a similar situation, Home Depot agreed to pay $19.5 million to consumers last year after a severe data breach. These online security breaches raise the question, “What can a health professional do in order to ensure that their data is secure?”
Sadly, there is no 100% way to guarantee that data will never be compromised. However, there are some basic procedures that will greatly reduce an organizations exposure to security threats. Here are four security practices that every health organization should follow.
 Minimize internal threats:
This relates to what some security analysts are now calling the “Snowden Effect.” Incidentally, the Snowden effect refers to the increase in public concern about information security and privacy resulting from disclosures that Edward Snowden made about the extent of surveillance activities by the National Security Agency (NSA). However, what many people do not know is that Snowden hack was very low-tech in nature. Basically, it was an inside job. No sophisticated hacking software was used, instead Snowden was able to simply copy sensitive data to a flash drive. This breach was made possible because he had access to sensitive information that he should not have had access to. In other words, this was an inside job. Organizations need to monitor and regularly update governance policies in order to ensure that only the proper people have access to sensitive data.
 Install firewalls and antivirus protection:
It is essential that there are strong firewall and anti-virus programs in place for any organization. Computer networks are impossible to protect without proper firewalls. Modern firewall software/hardware are able to regulate what type of internet traffic comes into your organization’s network. Firewalls are particularly effective when combined with antivirus and anti-malware programs. Antivirus and anti-malware software are great at preventing “bots” or other malicious programs from gaining access to an organization’s computer network. In modern computer systems, there are now often firewalls running at the network level as well as the application level. Firewalls and antivirus programs act like gatekeepers, passive monitor activity and detect evasive or suspicious activity. However, firewall and antivirus software need to be regularly updated, which leads to the next security practice.
 Ignoring software updates:
All computer programs need to be updated on a regular basis. Often these updates or “patches” repair recently discovered security exploits. Operating systems (OS) for computers are one of the more common updates. In fact, there is a chance that an organization will need to buy and migrate to a new operating system if updates for the old system are no longer available. If these updates are ignored, there can be dire consequences. This is exactly what happened with the UK’s National Health Service in May of 2017. Some of the computers in the Health Service still used Microsoft Windows XP. However, programmers at Microsoft have not provided security updates for the XP operating system since 2014. This allowed hackers to install ransomware which shut off services at hospitals and clinics throughout the United Kingdom.
Making sure your computer network is “patched” and updated is a vital step towards being secure; there is little point in installing advanced security software if it is not going to be maintained. All security software is only as good as its most recent update. No security application is 100% guaranteed to stop a data breach, but keeping your programs up-to-date is the best approach that health professionals can take. Frequently updating computer programs will prevent the vast majority of security issues, since the update frequently fixes exploits or problems in the program.
 Create and use secure passwords:
Password management is essential for any healthcare organization. Strong and secure passwords can stop events like an online security breach. But it is still crucial that an organization uses passwords that can withstand brute-force attacks and other similar occurrences. This means that passwords should be as complex as possible. A password should not be “ninja123” or a favorite sports team. Users should strive to create 16 character passwords that are made up of a combination of upper/lower case letters, numbers, symbols and even spaces. Modern passwords should not use repeated terms, dictionary words, usernames, pronouns or any other predefined number or letter sequences.
An additional layer of security for passwords involves what is known as Two Factor Authentication (TFA). This type of authentication requires not only a password and username, but also something that only that user has on them or has immediate access to (token, fingerprint scan, text message to a mobile phone, etc.). Services like Google’s Gmail and Facebook offer a “two-step verification” process when signing on, which is similar to a TFA security approach. When this process is enabled, signing in will require the user to also enter a unique code that is sent as a text message to the user’s phone. So a hacker who is not in possession of that phone will not be able to sign in, even if they possess the correct username and password.
Naturally, these four security practices are not 100% guaranteed, but they will provide healthcare practices with a much better layer of security. As internet and computer technology move forward and changed the industry of healthcare, so will the fear of data breaches and hacking.
Visit the following websites for more information on the topics mentioned in this article:
Advanced Billing & Consulting Services (ABCS) offers a complete suite of revenue cycle management solutions for medical and health professionals. Our services for medical billing, website design/SEO, Healthcare workforce management tools as well as account management services for Medicaid Waiver Providers (HCBS & ICF/DD).
Data breach, Online security measures, Internet security for healthcare