In a highly digitized world, cybersecurity is an issue for everyone— individuals and businesses alike. This is especially true in the health care space where sensitive medical information is at risk, and so it is crucial that audiologists take the necessary steps to ensure their practices—and patients—-are protected.
www.shutterstock.com. Cybersecurity, technology, privacy, medical information, HIPA, cyberattack, multi-factor authorization
“Try to imagine any part of the patient experience that doesn’t involve technology, from scheduling the appointment to medical tests to ordering prescriptions to electronic health records and billing,” said Josiah Dykstra, PhD, owner of Designer Security. “In audiology, even manual cerumen removal is often aided by electronic loupes for magnification or technology-assisted irrigation and suction.
“Cybersecurity is important because audiology requires technology, and technology brings risk,” he continued. “There is loss to a business when technology is unavailable or following a data breach. There is risk to a patient if their personal and sensitive health or financial information is compromised.”
BEST PRACTICES FOR AUDIOLOGISTS
Creating a secure system that protects the information of both your patients and practice is the responsibility of every health care provider.
“Patients are giving you their protected health information in the course of the provision of their health care, and they want assurances that you have the processes and systems in place to protect that information,” noted Kim Cavitt, AuD, Audiology Resources, Inc. “At the same time, businesses also want to protect their own business metrics and intellectual property.”
A key component of this is following all HIPAA security provisions; however, instituting comprehensive cybersecurity does not end with HIPAA compliance. There is a difference between security and compliance, Dykstra explained. A practice can be 100 percent compliant and still be vulnerable to a cyber-attack.
When discussing cybersecurity best practices with The Hearing Journal, Dykstra outlined his five non-negotiables for audiologists:
- Validate your policies. The first line of defense against bad behavior, like employees sharing passwords or disclosing protected health information, is a policy prohibiting this. HIPAA requires a variety of policies and procedures. Adopt a strong password policy, update your employee handbook, and fill in other policy gaps.
- Implement individual accounts with strong passwords. Everyone must have their own, individual account for each computer and online service. Enable multi-factor authentication, if possible, especially for email since other accounts often reset via email. Use a password manager to help you adopt unique passwords for every website.
- Install software updates. Most modern systems offer automatic updates. Turn them on. Hackers love unpatched systems because they are easy to exploit.
- Enable regular backups. All critical data should be backed up and some cloud-based systems may offer this automatically.
- Train users. Surprisingly, training users is not a very effective approach to cybersecurity. It is still required by HIPAA and recommended to help people remember good cyber hygiene, such as being careful when clicking email links and attachments, which are the most common ways that computers become infected.
“The only goal of cybersecurity is to help manage risk to the business and the patient,” noted Dykstra. “Even though passwords, for example, feel like an inconvenience at times, they are a key to protecting digital valuables from attackers trying to inflict harm.
“Nobody is immune from the indiscriminate and persistent attempts to victimize each of us, but health care is particularly vulnerable and sensitive to loss,” he added. “Health care often stops when a provider is the victim of ransomware, and some small businesses close forever.”
COMMON MISSTEPS TO AVOID
It is easy to become complacent or let overwhelm lead to inaction, but cybersecurity cannot be ignored. “Don’t wait to look into cybersecurity until you have time,” said Alicia D.D. Spoor, AuD, Doctor of Audiology and president of Designer Audiology. “There is never enough time, and you need to make time to work on this area of your practice.”
One common myth, according to Dykstra, is thinking that you are too small or insignificant to be the victim of a cyber-attack. “Attackers almost never care about you specifically; they want whatever data or computer they can get,” he explained. “The converse of doing nothing is also a myth: I can never be secure, so why try? Security is not hopeless. Every day you put off cybersecurity is a day of high risk to you and your patients, but simple steps and dedicated effort can substantially lower your risk.”
One such step is making sure you have a business associate agreement with any digital provider that has protected health information, including your email provider, earmold/hearing aid/cochlear implant manufacturers, and landlords, suggested Spoor. “And, when in doubt, hire an expert to assist in the process.”
Other potential security gaps that must be addressed, according to Cavitt, include not having control of individuals’ access to your practice database on personal devices that the business doesn’t own, or programming a hearing aid remotely through a system that is not secure. She also urges audiologists to ensure that they are using encrypted emails and texts as well as antivirus software.
When creating a cybersecurity policy for employees, it is also important to have clear guidelines and expectations, Spoor noted. “Make sure there are consequences to employees who do not follow the practice guidelines,” she said.
“There is little, if any, formal training on security and/or cybersecurity in the Doctor of Audiology programs. Many audiologists think cybersecurity is only the responsibility of the practice owner or clinic manager when, in reality, it is everyone’s responsibility,” noted Spoor. “Cybersecurity requires ongoing learning as hackers change tactics, new vulnerabilities are identified, and all members in health care need to be educated.”
This is where hiring an expert comes into play—but make sure you find the right one. Spoor recommends that audiologists take the time to research cybersecurity experts, especially those who also sell devices (e.g., hardware, software) to ensure there are not conflicts of interest.
“We ask our patients everyday to trust us to be experts in hearing health care,” noted Cavitt. “We need to do the same when it comes to cybersecurity: trust the experts. Outsource to someone who can help you identify what needs to be done then train your staff and be consistent.”
CHALLENGES TO OVERCOME
While the importance of cybersecurity is indisputable, it is not without its challenges. In a 2020 survey, a group of 131 audiologists reported that expertise, money, and time were the most common reasons for not having better cybersecurity in place.1
“There are certainly things that people can do themselves with little expertise, time, or money such as turning on native features for encryption and picking good passwords,” said Dykstra. “Audiologists also need to acknowledge when they need professional help, just as they would hire an accountant or attorney to help with needs outside their core areas of expertise. Cybersecurity professionals offer a unique skillset that even general IT companies lack.”
“Audiologists can be paralyzed by not knowing what to do and therefore doing nothing. It takes time and money to improve a practice and security, but it doesn’t have to be scary,” emphasized Spoor, who recommends audiologists take advantage of available resources, including national associations and federal websites (e.g., HIPAA). Some resources, Spoor noted, are free and others are part of member benefits from paid dues.
She also urges audiologists not to let price be a reason they skimp on cybersecurity. “Ask the cybersecurity expert about alternative options or a hierarchy of things to complete, if money is an issue,” Spoor suggested. “For example, picking a free antivirus software just to save a few bucks is a bad choice.”
OPTIMIZING CYBERSECURITY
For the audiologist looking to optimize their cybersecurity systems, Dykstra recommends starting with a risk assessment. “In the beginning, most of my clients don’t know what’s already going well and where they are accepting the most risk,” he explained.
“Some don’t know if they have encryption enabled or not. Many don’t have an incident response plan. HIPAA requires a routine Security Risk Analysis in order to be in compliance with the law,” he continued. “Once you know where the gaps are, make and execute a plan to fill them.”
Dykstra also urges audiologists to strongly consider cyber insurance as a part of their risk management program. “Ask your current business insurance provider(s) if cyber insurance is already part of your coverage (sometimes people don’t realize this) or if it can be bundled into your policy,” he said. “Insurance helps cover costs associated with high, unexpected costs such as a data breach.”
Successful cybersecurity requires ongoing reassessment and improvements. “Set aside a few hours for each of the first six months to start working on security in your practice,” recommended Spoor. “It is also important to help your patients understand what you are doing to make your practice secure (e.g., write a blog about it) and why.
“Audiologists want to be viewed as an integral part of health care and medicine and therefore need to act in the same manner as other physicians and providers. As my colleague says, ‘Doctors do this,’” she concluded.
Thoughts on something you read here? Write to us at [email protected]
Click Here For The Original Source.
————————————————————————————-