Healthcare information has become a target for commercial hackers. Learn about cybersecurity and how mental health agencies can reduce risks.
Cybersecurity is something that is at the top of everyone’s minds as the cyber world has become essential for pretty much everything that we do. Every day millions of financial and health transactions take place online and confidential information like diagnoses, prescriptions, social security numbers, addresses, PIN numbers and passwords are exchanged. This information is valuable to hackers, and they seek weaknesses in cyber security that they can capitalize on. Every industry needs to be aware of and prepare for this including mental health agencies.
The world changed in 2020 and is not going to go back to how it was before the COVID pandemic began. Mental health agencies are now more dependent on things like telehealth, online document exchange and e-signatures. These newer online activities are great as they increase client’s access to great care. They can also open agencies up to potential cybersecurity issues which are important to prepare for.
I sat down with Ben Levenson, Exym‘s DevOps Lead, to discuss ways that mental health agencies can reduce cybersecurity risks moving forward.
What is cyber security?
Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Cyber security may also be referred to as information technology security.
Why is information from mental health agencies valuable to hackers?
Healthcare information in general has become a primary target for commercial hackers. The amount of personal data held by healthcare organizations is much greater than even financial institutions have. Credit card numbers can easily be replaced, PINs changed, etc. However, your name, social security number, and mailing address are much harder to change. Once a threat actor has this information, they are able to perpetuate much larger and longer-term fraud.
What are some areas where agencies could have high cybersecurity risk?
Almost every system an agency uses presents risk. For example, what if you use an independent PTO system, not directly tied into anything else. Seems pretty safe, right? What about the login? Do your employees use the same email and password? The same security reset questions? Gaining access to this is an easy hopping stone away from accessing financial and healthcare systems.
What are some top industry best practices that mental health agencies should do to limit risk?
The single most important thing you can do is enable MFA everywhere. Microsoft says MFA reduces identity compromise by 99.9% over passwords. Start with the easy ones: email systems, electronic medical record systems, financial systems. Vet new vendors to ensure they have an MFA system that works for your staff. The next thing to do is training. No computer system is perfect, so training your staff to recognize and mitigate threats is critical to protecting information. Recognizing dangerous websites, phishing emails, and social engineering attempts will allow them to be better stewards for client data and their own information.
Telehealth sessions have grown over 4000% since March 2020. What can agencies do to make sure that telehealth session are not exploited by hackers?
Treat telehealth just like you would an in-person session. Ensure all the people in the sessions are authorized to be there. Make sure the door is closed; online, that means things like having HTTPS encryption using a strong cypher. Only work with vendors that are focused on healthcare and fully understand the requirements of HIPAA. Consider the endpoints that staff is using as well; are they secured to the same level as the software you are using?
Have you learned any new cyber security lessons during COVID? How are you applying them?
With so many people being remote and the huge industry swings, this is the perfect opportunity to adopt a Zero Trust security model. Traditional computer security focused on the perimeter, or edge, or your network. This is basically the building you were in; everything inside was trusted, and everything outside was not. With staff being in multiple locations and software hosted in the cloud, it is time to look at new security stances. The Zero Trust model assumes every single connection is a breach attempt. Every connection needs to be verified through identity, location, MFA, and user patterns. This approach helps implements explicit verification and least privilege access. I have been using this as an opportunity to reexamine all of our security policies, making adjustments to the latest standards, and increasing our ability to monitor and enforce security at every layer.
How can Exym Behavioral Health EHR help mental health agencies with cybersecurity?
In 2021, Exym launched Exym Engage, an all-in-one telehealth software solution that allows the clinician to move through their daily tasks from one centralized location, simplifying their workflows so they can focus on what they do best: delivering great care. Exym Engage includes capabilities like sharing documents with the client through secure messaging in the session itself, collecting intake documents and filing them in the client record (with clients and their families able to sign electronically from their phone or computer) and communicating with clients between sessions through secure messaging. Clients can retrieve the records they’ve requested electronically. All of this comes with the same standards of HIPAA compliance, access controls, and record retention that you should have in your EHR.