Optometry Clinics on the Frontlines of Cybersecurity

We have all received the Facebook messages and emails from friends, acquaintances, and extended family where their grammar does not seem quite right, or they are asking for money after an accident that no one knew about. Maybe your credentials were one of the millions exposed in a data breach like Experian, LinkedIn, or MyFitnessPal. It’s also quite likely that your organization has experienced a ransomware attack and had daily operations interrupted due to computer systems being down. We have all suffered through a shortage of gas and meat as supply chains have been hit by ransomware or cyber-attacks.  Regardless of how you have heard of ransomware, cybersecurity is a hot topic across all industries and even in personal lives. The Cybersecurity and Infrastructure Security Agency (CISA) explains “Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information” (1)

Well, what can you do? Shouldn’t that be handled by your IT department or outsourced IT vendor? To a large degree, yes. However, there is an adage in the cybersecurity industry that the weakest link in network security is the human one. As eye care professionals, you collect, record, manipulate, and have access to sensitive personal data and health information on the people in your care. Knowledge and diligence in proper cybersecurity hygiene are key to protecting that data.

CISA notes a few areas where a nurse would be the frontline defense against cyber-attacks:

  1. Use strong passwords. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases or passwords that consist of at least 16 characters (1). Do not store passwords on a sticky note attached to a monitor on a workstation that is used by multiple people. There are great options for software-based password managers such as 1Pass, LastPass, BitWarden, and even Apple and Google have native, safe password managers.
  2. Be suspicious of unexpected emails. Phishing emails are currently one of the most prevalent risks to the average user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device. This malware can then gain access to all data on your company’s network and/or encrypt every device on the network which could totally shut the company down. Be suspicious of all unexpected emails. (1) This is where the human link is the most vulnerable. A good phishing email will look like a legitimate Apple or Spotify email, or even an email from your own organization and convince you to change your password or download a payload. If it looks suspicious, raise the attention of your IT team or Managed Service Provider before you open attachments or click any of the URL links in the email.
  3. Multi-Factor Authentication. It’s virtually impossible to find an organization that doesn’t use some kind Multifactor Authentication in the healthcare industry, and insurance companies and HIPAA are making it a requirement. While it can by annoying to input another code just to log in for 2 minutes on a computer, it’s imperative for the safety of the overall environment.

Additionally, there are some administrative processes that should be implemented. Check with your leaders and administration to make sure that certain measures are being implemented to keep your data and your patients’ data secured. As BCI’s lead security expert, Jeff Robbins notes, “I believe it is very important to have a strong governance, risk, and compliance process internally. The one issue I tend to see is that while many organizations might have policies and procedures that dictate how things should work, they often lack adequately trained staff to implement those policies. That is why it is so important to have properly trained staff at an expert level on the technical controls that are used in the environment.” (2) Not only should eye clinics and all staff be given training on procedures and knowledge on phishing emails and Security Training, but also there should be other policy measures to ensure safety, such as not allowing usernames and passwords to be shared among coworkers.

Other things even the most basic IT networks should be employing are:

  1. Installing and properly configuring a firewall. A firewall is a network device that monitors network traffic, stopping potential malicious data before it can enter a network, as well as blocking unnecessary outbound data from leaking.
  2. Patch management. Is your IT staff patching servers and workstations on a regular schedule? Are they updating firewalls after known vulnerabilities are detected? Patching equipment with the most up-to-date versions ensures that your environment is protected from known vulnerabilities and hacking exploits.

Lastly, Antivirus has curiously been left out of the conversation up to this point. In this modern technology landscape, Antivirus as we once knew it, Norton or MacAfee, is not a useful tool. Viruses, worms, and trojans have adapted in ways that traditional Antivirus solutions cannot detect. The solution is to implement a good Endpoint Detection and Remediation software (EDR). Large companies started deploying EDR a few years ago, but in the last year or two, the frequency of attacks has increased so dramatically that it is now a necessity for organizations of all size.

As optometrists and medical professionals in Mississippi, you care for millions of our state’s citizens, keeping them healthy, enriching their lives and experiences. Keeping their medical data secured and protected should also be a priority as we continue to care for people in this new era of technology.

Business Communications, Inc (BCI) was founded in 1993 and is headquartered in Ridgeland, MS.  BCI employs roughly 100 people spread across several states and currently holds more than 200 security certifications.   BCI has been voted #1 IT Company in MS, Best Place to Work, and Fortinet’s Regional Partner of the Year.   BCI manages IT and security for 100’s of companies across Mississippi and beyond.   

www.bcianswers.com – 601-898-1890

 

Tim Bell

Account Manager

442 Highland Colony Pkwy |   Ridgeland, MS  39157

O     601.427.4239  C  601.259.1234   |   w   bcianswers.com

 

 

 

 

 

References:

  1. https://www.cisa.gov/uscert/ncas/tips/ST04-001
  2. https://www.fortinet.com/blog/industry-trends/how-to-cultivate-the-new-generation-of-cyber-professionals?fbclid=IwAR2FL4B7sX3qqREka413rB8PcIySqxbfQGzDNIDnS7eXK9-g-iDgflExyyE

 

InfantSEE®

We are proud to be an affiliate of the American Optometric Association and to be enrolled as InfantSEE® providers.

Infant vision development is key to a child’s overall development and a happy, healthy life. InfantSEE is a partnership with the AOA and The Vision Care Institute of Johnson & Johnson Vision Care. The program is designed to make sure that eye and vision care become part of routine infant wellness care in the United States.

Under this program, MOA member optometrists offer a free first eye assessment for infants within the child’s first year of life.