Today may be the kickoff of Cyber Security Awareness month, but it’s never too early (though, possibly too late) to pay attention to the cyberthreats that surround independent practices.  

Now we know there’s probably plenty of other things that sound a little more exciting than cybersecurity – but the recent Cybersecurity Advisory from the Office for Civil Rights (OCR) highlights why having the right safeguards in place to secure your patient’s protected health information (PHI) is, well, kind of a big deal.

With the rapid increase of cyber threats due to COVID-19 already on your mind, here’s some key takeaways appropriate to cybersecurity awareness month to help your practice handle a suspected cyber threat like a pro:  

• First things first, if any malicious activity is suspected, throw on your Sherlock Holmes hat and collect the “clues” – in this case any logs or data – that might be relevant to the threat. This could be anything from suspicious file names, to unusual authentications, to anti-virus alerts. 
  • In order to know what you’re looking for, you have to first know where to look – which is why it’s recommended to have a regularly updated asset log documenting where sensitive data (and the threats to that data) are housed.

• Overreacting, just like in real life, is NOT the right answer. Since we’re still wearing our Sherlock Holmes hats and collecting those all-important clues, keeping the attacker or threat actor in the dark lets you collect all the data you need (and keep that data intact) before your new nemesis is alerted and does more damage or hides their tracks before you have a chance to act. 
  • If you’re in the midst of a suspected cyberattack, refer to the OCR’s recommended steps to best handle the incident. 
  • Because the data your practice houses includes sensitive PHI, having the proper backups of that data in case of a cyberattack is essential so no data is lost.

• While that new detective hat looks pretty nice, it’s still important to leave some work to the experts. The OCR recommends soliciting incident response support from a third-party IT Security organization to ensure that the incident is mitigated properly and your practice can steer clear of any ‘follow-up’ threats.  

We know that channeling your inner investigator and hunting for clues does sound like fun but knowing how to handle a suspected breach is just the tip of the iceberg when it comes to cybersecurity. While there’s no sure-fire way to avoid falling victim to a cyberattack, you can implement various technical safeguards to reduce the risk. 

Having a strong defensive line isn’t just important for football (cybersecurity isn’t the only thing we’re excited about this month) – it’s also imperative to making it a bit harder to access your practice’s data. Having multiple barriers to entry and a better understanding of how to detect a threat is the best way to protect your practice and following the right process after an attack will help to mitigate the damage done.