<img alt="" src="https://secure.leadforensics.com/779964.png" style="display:none;">

Cybersecurity in medical facility – 8 good practices

SHARE

Progressing digitalization touches every branch. According to Polish Centrum e-Zdrowia up to 89% of medical facilities use IT systems for keeping medical records. But the digital revolution brings new threats and increases the risk of cyberattacks. Medical records are of great value for criminals, since – not like the credit card data – they cannot be changed in the moment of leak. How to properly take care of medical facility cybersecurity? How to store medical records? Finally, how to avoid GDPR fines? Take a look at our tips! 

  

Medical industry faces many challenges 

  

It is really worth to be highlighted that any cyberattack aimed to medical facility can be much more destructive than in other sectors. When the IT system is down there are serious problems with accepting new patients and making any surgeries or tests. Human life is in danger. In 2020 such a situation took place in Dusseldorf, when the hospital faced a ransomware attack. One of the women that were redirected to the other hospital unfortunately died during the transport.  

This is why you should take a good care and prepare a safe ground for any medical data in your facility. How to do that? We have prepared 8 tips how to cope with medical records security and help you to organise good cybersecurity system. 

  

  1. Analyse whole data contact path

 

Give a thought to how your facility collects sensitive data, use and store them on three levels: medical registration, stuff and patient contact and document archive. How do patients register for their visits? By phone, mail, in person? Is all the path properly secured, according to GDPR? Is there an option to have a video call or phone call with the doctor? With what tools do you organise online consultation? Who can access all the diagnostic data? Is it possible to take an e-receipt? What levels of IT system access do your employees have? Each one of those situations can result in data leak, if security systems fails.  

  

  1. Create passwords according to safety rules

  

Password is a shield that protects valuable medical data from threats. But a shield that is too weak or leaks is of not use at all when an experienced cybercriminal approaches. That is why, while creating any kind of access data to any of your business data, you should always remember of a few things. Firstly, of generating long password, it should be combined of minimum eights signs. Secondly, always make it complicated – let it have capital and small letters, digits and special signs. Last but not least, make it unique, so use one password to one account. It will help to increase security of medical data for sure. 

 

  1. Take care of good protection for existing passwords

  

What else can be done to protect data in medical facilities? Protect those passwords, that are already in use.  Don’t save them in a place, when anyone an see it (like for ex. a notepad on your desk). Don’t send them via e-mail, SMS or any kind of instant messaging system. Don’t tell them via your phone. At best, never share any of them with others. Change your password data every time when you suspect a leak. Tell everyone in the facility to do as such.  

 

  1. Obey clean desk and screen policy

  

Always be aware of how do you store any medical data when you’re at work. Is a random patient able to read anything what’s on your desk? Are cleaning employees able to come across any of patient file that just lie around? Give also a though to your IT system – do you protect your data there in a sufficient way? Put your screen in the position, so that a person next to you won’t see what’s there. Make your computer secured with a password, so that noone can see any files without your presence. Don’t put on your computer any sticky note with a password. 

  

  1. Don’t neglect GDPR issues

  

One of the results of medical records leak can be a fine connected with General Data Protect Regulation document. In Poland, the first fine for a medical facility was imposed in 2021. It was ck 19,000 euro. You need to remember that, according to GDPR, medical facilities must not only obey law, but also be able to proof that they do this properly – that always brings the necessity of managing your documents meticulously. You are also obliged to have DPO (Data protection officer) onboard. 

 

  1. Report any incidents ASAP

 

Was there a data leakage incident? Were your information encrypted as a result of ransomware attack? You need to inform your national data protection authorities immediately. An efficient response will help you to limit losses, including any fines connected with GDPR. Make your employees aware of the situation. They need to inform you, if they approach phishing attack or any breach of data security rules.  

 

  1. Adjust employee permissions to actual needs

 

Make the rules of accessing any office, equipment and personal data in medical security clear, taking every employee’ personal duties into consideration. Prepare a list of all resources that need to be shared between  employees (patients documentation, personnel data, access data to places like bank accounts, PIN codes to alarm system, video monitoring etc). Check, if HR people, cleaning stuff or third parties don’t have as wide range of reference, as doctors or medical stuff do. Adjust the level of access for healthcare professionals to patients' personal data by looking at the scope of tasks performed or the hierarchy of tasks. Remember, when someone stops to cooperate with your facility, immediately revoke any permissions and access, that this person had. One of Portuguese hospitals paid 150,000 euro fine for GDPR violation, when it occurs that only 296 out of registered 985 doctors actually work there.  

 

  1. Train your stuff

Event the most sophisticated security systems or procedures of accessing medical data are not enough, if any human mistake occurs. This is where usually cyberattacks become successful. If only one person in the office downloads an infected attachment from phishing message or log in into fault website, prepared by hackers, the whole facility can be affected. All the employees who deal with personal data on the daily basis should have the knowledge how to protect those data, also online. They need to know how to recognize danger and how to react, when anything happens. It would be also perfect, if they would be aware of any consequences, that the whole facility and all of them can be affected by. That is why you should organise a cybersecurity training. 

How to additionally work on your data security in a medical facility? Make a free cybersecurity audit, that will show you any gaps in your security system and advise, what and how to fix. We also invite you to see our fanpage and LinkedIn profile, where we share some cybersecurity news.  

See ya! 

Sagenso Team 

Conduct a free cyber security audit!

The audit report is available immediately!

Conduct a free cyber security audit