[00:00:00] Christian Dameff, MD: Hi again, I'm Dr Christian Dameff, medical director for cybersecurity and emergency medicine physician. In this episode, we will discuss how you can do your part to prevent cyberattacks in your work and at home.
[00:00:20] Now I suspect you feel like you've heard enough. You've heard about how cyberattacks can happen, about how criminals are motivated to commit cyberattacks for money, and the potential serious impacts on patient care and administrative operations.
[00:00:32] But you're probably asking yourself, what can I do to help fight these threats? How much cybersecurity am I responsible for if my primary job is caring for patients? Like everything else in health care cybersecurity, preparedness and response should be a team effort. Here are a few tips to always keep in mind.
[00:00:51] First and foremost, follow the security rules and practices that your organization may have in place. Take those annual training cybersecurity sessions seriously. I know they may be the last thing that you want to do in your spare time, but they're important. Develop phishing vigilance and awareness so you can recognize attempts before you fall for them.
[00:01:10] Be on the lookout for common things like misspelled words or awkward English or sender email addresses that just don't look right. When in doubt, ask your IT or security teams for help in assessing the legitimacy of a message or a sender. Be wary of unexpected requests for personal information. Never give out account numbers, PINs, or login credentials through email or by phone, even if the request sounds urgent.
[00:01:37] Don't open an unexpected attachment. Verify attachments before opening or downloading, even if an email seems to come from a company or person you trust. To make sure the file is legitimate, contact the company or individual directly through its website, or use a known, verified phone number. Find out how to report suspicious emails, phone calls, or human behavior in your own organization.
[00:02:00] Don't click on links from suspicious text messages. It may result in loading malicious software onto your device that will harvest your credentials. Think before you act. You shouldn't automatically trust any email message or voicemail, especially if it sounds frightening or too good to be true.
[00:02:18] Familiar logos, sender names, and personal information are often faked by scammers. These tips are important as much for your personal online habits as they are on the job. And when you are on the job dealing with patient information, medical devices, and administrative functions, keep these additional basics in mind.
[00:02:37] Keep patient data within the health care system, not on an iPhone or tablet. Don't send patient data on email, especially not in email attachments, unless you're using your organization's secure email functionality. Don't share your password or other credentials with anyone. Do not use weak, default, or similar passwords for all your accounts. Do not use passwords created from personal information that is easily discoverable. Cyber attackers may visit your bio page, your corporate website, or social media pages to guess your password using publicly available information like your birthday, job title, or even your children's names. Do not download unauthorized software, web browsers, plugins, or add-ons from the internet.
[00:03:22] Make sure new devices and programs have their passwords upgraded from their default setting. Cyber attackers can often find default passwords for hardware and software, or software with a simple Google search. Don't share your access card or allow others to tailgate into the premises without proper credentials.
[00:03:41] Institutional devices should not be used for personal activities. If you see something, say something. That means reporting incidents and breaches or anything suspicious right away. Get security and management involved. Report unusual activity happening on your computer, such as slowness or low memory warnings.
[00:04:02] Those could be signs of a computer virus. Know how to do basic upkeep of your own equipment and your organization's equipment if authorized by your IT and security departments. Keep your devices regularly updated to the most current operating system versions. Regularly clear your browser's data. Do not back up or store your data to an online service that has not been approved by your IT department.
[00:04:27] Do not delay the installation of IT updates, even if they come at an inconvenient time. It gives your attacker a longer window of opportunity. And finally, do be careful with USB drives, also called thumb drives. USB drives can be easily infected and move viruses from one computer to another.
Do be careful connecting to suspicious looking Wi Fi networks in public places. [00:04:51] Attackers can create illegitimate, publicly accessible Wi Fi networks with official sounding names. And remember, cybersecurity is a shared responsibility. Your organization's security team is ultimately responsible and accountable for the security of your systems and data. But you can make their job easier.
[00:05:10] Know that your security team has the welfare of your patients and your workflow in mind. They may involve you in a risk assessment for the organization, for example, to understand where your data is, how it is protected, and what can be done to better protect it. The policies they set will help you, your organization, and your patients.
[00:05:31] What if you're in a small family practice with no security team? Maybe you're both a nurse practitioner and the office manager, and you're expected to know the cybersecurity basics. You can still look at all your digital files and know what is most important, like patient financial data and medical records.
[00:05:48] That's the start of a risk assessment. Then you may consider consulting with a security specialist that can help you with your recommendations and even provide cybersecurity services appropriate to your organization. There are also many free and useful resources available from organizations including the FDA, the Department of Health and Human Services, and the Health Sector Coordinating Council, the creator of these videos.
[00:06:12] Whatever path you decide, remember that security is cheaper and more effective if it's built into processes at the beginning. As the old cliche goes, an ounce of prevention is worth a pound of cure. In our next video, we'll tell you what to do if or when you are attacked.
Disclosure Statement: Unless noted, all individuals in control of content reported no relevant financial relationships.
If applicable, all relevant financial relationships have been mitigated.