Healthcare Cyber Security Best Practices: 10 Don’ts For Workers
In the fast-paced world of healthcare, where efficiency and patient care are top priorities, the significance of cybersecurity is often overlooked.
One common but critical oversight is the use of obvious passwords.
While it may seem like a straightforward practice to avoid, the reality is that overly simplistic passwords still pose a significant threat to healthcare systems.
In this blog post, we’ll delve into the importance of robust cybersecurity practices, focusing on the 10 critical “don’ts” that healthcare professionals should keep in mind.
1. Don’t Use Obvious Passwords
Seems obvious, right? But using overly simplistic passwords is still a major vulnerability for healthcare systems.
Passwords like “Password123” or “Welcome1” are incredibly common yet provide no protection. Here are some tips to choose better passwords:
- Avoid dictionary words and personal info like your pet’s name, birthdate, address, etc. These are easily guessable.
- Make passwords long and complex. Combine upper- and lower-case letters, numbers, and symbols like &^%$. Length is key.
- Consider passphrases – random word combinations like “SkyJellyPiano442%” are complex but easier to remember.
- Never reuse passwords between accounts. Compromise of one means all your accounts are hacked.
- Use a password manager app to generate and store strong unique passwords for every system.
- Change temporary admin passwords at first login before accessing patient data.
Let’s learn from Lee’s mistake:
Lee was an A&E nurse who always used simple passwords like “Chicken123” because complex codes were too hard to recall when logging in to multiple systems daily.
One day, he received a phishing email that looked like it came from hospital IT.
Without verifying, he entered his standard password into a fake password update website linked in the email.
That gave hackers access to Lee’s account which they used to steal patient data and health insurance numbers, costing the hospital millions.
If only he had taken the time to use strong unique passwords, this could have been prevented.
2. Don’t Open Unverified Email Links or Attachments
Email offers hackers an easy doorway into organisations through malware-laden links and files. Some key pointers:
- Never open attachments or click links in emails from unfamiliar senders. This is a textbook malware tactic.
- Verify legitimacy before downloading even if seemingly from colleagues. Accounts get impersonated or hacked.
- Be extremely wary of social media messages asking you to open attached documents or links. Easy malware.
- Confirm validity via a different medium like phone before opening unexpected attachments from contacts.
- Report suspicious emails to IT instead of engaging. Don’t reply.
- Hover over hyperlinks to see if the web address looks legitimate. Spoofing is common.
- Be wary of extreme claims of issues that require urgent action like fake system notifications. Fear-mongering tactic.
Let’s learn from Aisha’s click-first, ask-questions-later mistake:
Aisha was an office administrator at a clinic who often downloaded attachments people emailed her without verifying first.
One day she got an email warning her a delivery invoice needed payment and to click the PDF attached immediately.
Without noticing the strange sender address, she quickly downloaded the PDF which installed ransomware encrypting the clinic’s entire system.
This caused massive disruption and revenue loss all because she didn’t take time to validate unexpected attachments per security training. A quick call could have prevented disaster.
3. Don’t Access Beyond Your Role
Resist the temptation to access systems or data beyond your job duties. Unnecessary access leaves more openings for mistakes or misuse.
- Only use systems required for your authorised work activities.
- Don’t look up test results or details out of curiosity if you don’t have a clinical need.
- Be mindful not to view patient data visible on monitor screens when walking past workstations. Averting eyes is best.
- When assisting colleagues with system use, avoid gazing at their screen where personal health info may pop up. Step away.
- If you can access more data than seems appropriate, report this to determine if your access should be limited.
- Don’t attempt to log into clinical systems using other staff credentials even if they stay logged in.
Let’s learn from Dan’s unauthorised snoop:
Dan was an IT technician who enjoyed reading medical details while fixing clinicians’ computer issues. He knew this violated patient confidentiality but did it anyway out of fascination.
One day a VIP patient noticed Dan reading her record and filed a major complaint.
Only assigned direct care staff should ever access records.
Dan’s curiosity got him fired, sued, and forever tarnished the hospital’s reputation. If only he had honoured his role!
4. Don’t Discuss Patient Details Over Unsecure Channels
How staff communicate patient data is just as important as where we access it. Some guidance:
- Never use standard text messaging or email for sharing health details or images. Not secure enough.
- Confirm approved apps like secure chat tools that encrypt messages in transit and at rest.
- Anonymise data used in communications through initials, case numbers, date of birth instead of details.
- Be careful discussing patients in public areas where conversations can be overheard.
- On phone calls use guarded language in case someone is within earshot.
- When leaving voicemails, avoid stating specifics if unsure who may retrieve them.
Let’s learn from Emma’s messaging misstep:
Emma was a health visitor who often texted unencrypted patient details like medications and diagnoses to doctors for advice, finding it quicker. She assumed texts were private.
One day a teen patient spotted texts about her case on Emma’s unlocked phone during a home visit.
This prompted an investigation of many HIPAA violations.
Had Emma confirmed approved secure methods, she could have avoided this breach of trust and termination. Secure communication is a must in healthcare.
5. Don’t Use Public WiFi for Work
The open nature of public networks poses risks for sensitive activities:
- Avoid accessing internal systems or work email on café WiFi or airport networks. Unsecure.
- Disable WiFi autoconnect so devices don’t join public networks without you realizing.
- Use VPNs or similar tools that encrypt traffic even on open networks when remote access is essential.
- For remote work, use the phone as a hotspot instead of public WiFi to stay secure.
- If public WiFi is unavoidable, use it only for general web browsing, never email logins or confidential systems.
Let’s learn from Hassan’s open network mistake:
Hassan was a caseworker who did paperwork at coffee shops while traveling between client visits.
For convenience, he simply connected to their public WiFi to send updates via work email.
One day the café network was hacked, allowing criminals to sniff Hassan’s login credentials from the insecure traffic.
His email was accessed, resulting in major privacy violations that got him fired and sued. Using only secure networks could have prevented this.
6. Don’t Delay Software Updates
Patching delays are one of the biggest threats as they allow known fixed vulnerabilities to be exploited before systems get updated.
- Promptly install security updates for operating systems and apps when notifications appear.
- Never click “remind me later” or postpone rebooting after patches. Just do it!
- Enable automatic updates where possible so you don’t have to remember.
- Prioritise updates for any end-of-life software still lingering to minimise risk.
- Test patches proactively in development environments before broad rollout.
Let’s learn from Andre’s “I’ll do it tomorrow” patching procrastination:
Andre was a health records officer who found software updates inconvenient, so he’d dismiss the reminders.
One day a ransomware worm entered via an unchanged default admin password and unpatched browser vulnerability. Within hours, patient databases were encrypted, and operations crippled.
Andre realised ignoring updates had enabled this. Staying on top of patches is vital when under pressure.
7. Don’t Share Login Credentials
Every staff member is responsible for actions occurring under their login.
Never share accounts! Instead:
- Log out of workstations after using so others can log in under their credentials.
- Report shared accounts or situations where coworkers ask to “borrow” your badge or password.
- Don’t keep written credentials accessible. Report lost badges immediately.
- When assisting others with system use, have them enter credentials so you avoid viewing.
Let’s learn from Adeline’s credential-sharing blunder:
Adeline was a home care nurse who often loaned her badge and login to new trainees still awaiting their own, as she felt sorry for them being locked out.
One day drugs went missing from a client’s home, with Adeline as the unwitting culprit in records. Not changing shared temporary credentials had given the perfect crime cover.
She was fired and referred for a fraud investigation before finally figuring out what went wrong. Never share access!
8. Don’t Charge Devices in Clinical Areas
USB connections pose infection risks, especially in clinical zones.
- Never connect personal devices to charge using patient area computers. Malware can spread via USB.
- Disinfect clinical keyboards regularly as bacteria accumulate there.
- Use cable locks to secure public charging stations like for mobile COWS workstations.
Let’s learn from Titus’ USB infection misstep:
Titus was a care technician who often charged his phone using the computers in patient rooms out of convenience between tasks.
One day, this infected a computer with ransomware which then spread across the network before anyone realised what happened.
The outbreak cost thousands in damage, all preventable by not charging in clinical areas. Small choices have big consequences.
9. Don’t Use Unidentified USB Drives
Mystery USBs are a classic infection risk. Exercise caution:
- Never plug in random USB drives found around the office. Could contain malware.
- Label any approved flash drives to avoid confusion.
- Secure all medical devices like MRI systems that use USB drives for exporting data.
- Limit unnecessary USB ports via physical seals or software policy restrictions.
Let’s learn from Wendy’s mystery USB mistake:
Wendy was a nurse who found a USB stick by the elevator and plugged it into a computer during her break to find the owner.
This launched ransomware which rapidly encrypted critical systems connected to that workstation.
Forensics showed ground zero was a potentially infected random USB.
Curiosity unfortunately enabled a major cyberattack simply by plugging in an unknown device. Vigilance with media is key.
10. Speak Up About Concerning Cyber Practices
Reporting concerns immediately is critical. Some tips:
- Don’t hesitate to speak up if you notice coworkers engaging in risky cyber activities. This protects patients.
- Report suspicious emails, abnormal behaviour like credential sharing, or possible incidents through designated channels.
- Suggest improvements on issues like flawed passwords, disabling unattended workstations, protocols for public WiFi.
- Ask questions if unclear on proper cyber practices for your role so you can do your part. Awareness is empowering.
Let’s learn from Rosa’s speaking up story:
Rosa was a new clinical assistant observing processes during her onboarding. She noticed nurses printing health histories for their personal archives despite no need.
Rosa knew this needlessly exposed data so she confidentially reported the concerning practice through the ethics email hotline.
This allowed the privacy team to quickly intervene with additional staff training and fortunately prevented a bigger breach. Speaking up makes healthcare safer, even on small things.
In summary, we all play vital roles in healthcare’s human firewall.
But as these common scenarios show, one misstep can lead to major vulnerabilities and consequences.
Making cybersecurity basics part of our daily routines and speaking up when we see something is key. We’re in this together for our patients!
Let us Help you
We’ll help you find the right course for your needs. Tell us a little bit about your situation and what you would like to achieve.
We’ll get back to you within one working day.