We live in a world where cyber-attacks are common. They used to be sporadic and focused on big corporations, but the COVID-19 pandemic and other factors have made online security breaches prevalent across businesses of all types and sizes. Most small businesses are not equipped to manage this situation properly; for example, if it is a ransomware attack, the business owners often choose to pay the ransom to get their data back. Quite often, these businesses are attacked more than once in a short span of time.

AT A GLANCE

  • Ensure that all your devices and software are up to date with the latest operating system releases and security fixes.
  • Use different (and complex) passwords for each of your accounts, sites, and devices, and use multifactor authentication whenever possible.
  • Periodically check to make sure that your scheduled backups are working.

All industries are vulnerable to the ever-increasing risk of cyber-attacks, and health care—including retina—is no exception. Finding ways to protect your online data can seem daunting, but the simple steps outline in this article can help you reduce your practice’s exposure and minimize the chances of a successful cyber-attack. Here’s what you and your staff can do.

STAY UPDATED

Let’s start with the basics. Regardless of the devices that you use (ie, PC or Mac computer, iPhone or Android smartphone, router, hotspot, etc.), ensure that they are all up to date with the latest operating system releases and security fixes. These security fixes help to protect your devices from online attacks that aim to exploit vulnerabilities that have been disclosed and published.

Most platforms can configure automatic updates overnight or during idle periods, so you should be able to handle this in your office without disrupting the workflow. If you are a small retina practice with a set of systems that are critical for your day-to-day operations, update the operating systems on a phased approach to ensure that it does not disrupt your patient care.

VARY YOUR PASSWORDS

Next, let’s talk about a term known as credential hygiene, which refers to the way in which you handle your practice’s online credentials (ie, usernames and passwords). The very first step to optimal credential hygiene is using different (and complex) passwords for each of your accounts, sites, and devices. Don’t forget to change the default passwords that come installed on certain “internet of things” devices such as wi-fi routers, modems, wireless speakers, smart locks, and various software programs, to name only a few. You should change the password as soon as you install/configure each of your devices or software packages.

Whether you like it or not, recycling passwords is a bad idea. If you struggle to remember several passwords, consider using a credential vault/password manager application. These tools can ease the burden of remembering passwords and may even have the capability to generate complex passwords for you based on your requirements.

The next step is implementing multifactor authentication whenever possible. To implement multifactor authentication, there are several options depending on the platform or service, including applications (Microsoft authenticator, Google authenticator), phone authorizations (text message, voice call), physical tokens (smart card, fob, fast identity online [FIDO] key, etc.), and biometrics (fingerprint, facial recognition). As part of your credential hygiene approach, retina practices should consider using different accounts based on the tasks being performed; for example, you can have one account for daily tasks, such as productivity trackers and internet browsing, and another account for highly privileged tasks such as administration of services, servers, and other assets within your organization.

Finally, your staff members should access highly privileged accounts only while using an approved administrative workstation. This helps to ensure that the highly privileged account is protected by isolating it to one workstation within the practice. Access to services, such as patient scheduling or EHRs, should be specific to the identity of the person with access. For example, a scheduler could use the same computer as a scribe but would not have access to patient data. Just remember that passwords should never be shared. They should be specific to each user’s identity. When an employee leaves the practice, be sure to disable that identity and remove all the permissions and access granted to that identity.

BACK UP YOUR DATA

Just the thought of backups likely has most practitioners groaning. Nonetheless, they are important, particularly if you ever find yourself in a ransomware situation and want your data back without having to pay the ransom. You can back up almost everything, and many devices come with built-in backup capabilities. Several solutions offer cloud capabilities, which provide an offsite backup of your data in the cloud.

To be HIPAA compliant, you must have a backup plan. Have at least three separate backup copies without influence over each other. These copies are stored on two physically independent devices without cross-data synchronization or access of any kind. For example, place one copy on an internal hard disk and a second copy on an external hard disk. At least one data copy must be placed outside the primary data center or office to protect against disasters such as fire, flooding, or other circumstances. The cloud can offer solutions for this.

Occasionally, practitioners and office managers should check to make sure that any scheduled backups are working. The last thing you want is to try to restore data when you are in need only to realize your backups were never working.

ONLINE SECURITY GLOSSARY OF TERMS

  • Credential Hygiene: The way in which you handle online credentials, such as usernames and passwords.
  • End-to-End Encryption: A method of communication that prevents uninvited parties from accessing data that is transferred from one device to another.
  • Firmware: Permanent software that is programmed such that it is read-only.
  • Internet of Things: Objects (or groups of objects) that possess sensors, processing capabilities and/or software that allow for the exchange of data between devices over the internet or within a closed network (ie, bluetooth).
  • Malware: Software designed to disrupt, damage, or gain access to a device or computer system.
  • Mi-Fi: A portable broadband device that allows multiple users and devices to share an internet connection.
  • Multifactor Authentication: A technology that requires the user to provide more than one form of verification to gain access to a device, software, or application.
  • Phishing: Cyber-attacks sent through email that ask for some type of interaction with the user to gain access to the device and/or user information.
  • Ransomware: A type of malicious software that blocks access to a computer system or device until the
    authorized user pays a sum of money.

BEWARE OF PHISHING

For those not familiar with the term phishing, these attacks are sent through email and ask for some type of interaction with the user (click on a link, enter certain information, etc.). Although it was easy to spot a fake email in the past, scammers have become increasingly skilled at presenting what appears to be a reputable email. Retina practices that have a cloud-based email service like Microsoft 365 or Google can leverage the built-in spam-filtering capabilities to avoid many of the attempts from adversaries to gain access to your information or systems.

Messaging Pro Tip

When messaging with your phone, use an option that provides end-to-end encryption for all conversations. Two applications, Signal and Telegram, are good options for this purpose and are free. These allow the creation of group texts, and you can manage the members, even for business-related chats.

However, some emails will always sneak through even the most advanced protections. Here is where you, as a user, must be mindful prior to clicking on anything. Verify who is sending the email (is it a known and reputable email address?) and hover over the link to see the true destination. You can also copy the link and do a safety check in VirusTotal (www.virustotal.com/gui/home/upload) or Google Safe Browsing (safebrowsing.google.com), both free online services, to assess if you are at risk of phishing or malware. In addition, don’t call phone numbers that are provided in an unsolicited email; if you are expecting an email from that company, do an internet search for the company that is trying to contact you and ensure that the number is accurate. This may seem like an arduous additional step, but your safety comes first.

WELL-ROUNDED PROTECTION

Whether you are working from home, your main office, or your satellite office, ensure that your internet access is protected. This means:

  • Ensuring that your router has a different password than the default one.
  • Keeping your router’s firmware up to date
  • Creating guest wi-fi access that does not reach the assets within your business. As an example, you can create a service set identifier that is accessible to patients but does not allow access to scheduling or patient data (if you use a Mac system, you can create filters for just the devices that are allowed to get onto your network).
  • Not advertising the name of your wi-fi (this can be changed in the configuration).

All your devices need protection, even your smartphones, especially considering how much time we spend on these for both personal and business reasons. In terms of an antivirus solution, it’s a must. Whichever platform you choose, make sure that the definitions (ie, sensitive information type entity) associated with it are always updated. If you are a Microsoft 365 subscriber, you should leverage Microsoft Defender (included with it), which gives you a simplified but robust online security platform. This will allow you to monitor your online security status for all your devices. It also provides malware protection for all your devices and recommendations in terms on what actions you can take to keep your data and devices secure.

When travelling, try to avoid using public wi-fi and public USB recharging stations. Stick to using a mi-fi portable device for wi-fi purposes or tether from your smartphone to ensure that you are using a known connection. Use your own power adapter and USB cable, because adversaries can use these to get access to your devices, plant malware on them, or trick you into visiting a fake website to harvest your credentials.

Also, invest in a laptop privacy screen. This ensures that only you are looking at your display and eavesdroppers cannot get information by sitting next to you. You can never be too vigilant in this hyper-connected world.

This “never too careful” approach may seem over the top for the average user, but retina physicians have a lot at stake when it comes to cyber security measures.

CYBER SAFETY IS NO. 1

Keeping your data safe takes a lot of work, but the simple principles outlined in this article can help to reduce your risk of cyber-attack. In doing so, you can potentially avoid a ransomware attack that can affect your practice or, worse yet, your patients, or even put you out of business altogether if you are unable to recover your data or pay the ransom.

The overall approach is simple: reduce your attack surface (or sum of the ways you could be breached) and do not expose yourself. Use only reputable services to ensure that your practice’s data stay secure. Many security solutions/vendors exist (more than you can imagine), all of which can help you implement the simple approaches outlined in this article and tailor the security measures to your practice’s needs. Do your due diligence to ensure that you cover all your devices, systems, and software to improve your overall security.