HIPAA TIP: Cybersecurity Tips

Cybersecurity best practices help individuals and organizations implement measures to defend themselves and manage cyber risks.

Start with a foundation that includes identifying, assessing and responding to risks, the likelihood an event will occur and the potential resulting impacts.

When conducting the annual HIPAA Risk Analysis compile a list of risks or vulnerabilities to the ePHI and PHI that the organization has in paper charts, computers, servers, web-/cloud-based software systems or applications, cell phones, machines or devices storing ePHI, such as diagnostic machines and multi-function copiers with hard drives (memory). Once all ePHI and PHI is identified, assess how the data is secured. Include the following:

  • Unique IDs and passwords for all operating systems and applications containing ePHI; no shared or generic accounts for these systems.
  • Enable a strong password policy, with passwords being at minimum 8 characters, not first and last names – pass-phrases best of all. Be sure to have a restriction on the reuse of passwords (cannot use last 7 or more, or never).
  • Systems and applications containing ePHI need to have an account lockout policy (3-4 failed login attempts), and an auto-lock after 10-15 minutes of inactivity.
  • Educate staff on thinking before clicking on a link or opening an attachment in an email (phishing attacks).
  • Updating software whenever possible and decommission all out-of-date / end-of-life devices.