#BeCyberSmart: 6 actions to secure your practice now

Published on October 14, 2021

BeCyberSmart

It’s that time again. October is National Cybersecurity Awareness Month, and it presents a great opportunity to take a step back and consider how you’re making online decisions in your practice. Why is this so important? Our online environments are constantly changing, leading to new opportunities for cybercriminals to steal large amounts of data about you, your practice, and your clients. 

Risk-Based Security’s 2021 Mid-Year Data Breach QuickView Report revealed that the first six months of 2021 saw 1,767 publicly reported breaches globally (1,243 in the US), exposing 18.8 billion records. Most of the breaches occurred in healthcare. 

Data theft is rampant in the online world, but there are actions you can take to protect your practice against it. As a company that specializes in secure online communication, we recommend that you find the time this month to take the following six actions to secure your practice.

1. Use two-step verification as an extra layer of security

Strong passphrases are a great way to protect your accounts. However, if a cybercriminal is able to figure out your passphrase (through a phishing attempt, for example, which you’ll read about below) they’ll be able to break in. Cybercriminals are becoming more and more sophisticated at figuring out passwords and passphrases, so it’s important to add an extra layer of security that will protect you if the passphrase alone can’t. 

Two-step verification requires you to verify your identity using two different methods. One is your strong, unique passphrase. The other is a separate security code that's sent to a second device via text message, another email account, or generated by an app on your device such as Duo Mobile

When you use two-step verification, even if someone has your passphrase, they can’t get into your account because they won’t have the second code. It’s a good idea to set up two-step verification on all of your main accounts, including banking, communication, and social media. Here’s how you can set up two-step verification on your Hushmail account:

  1. Sign in to your Hushmail account
  2. Go to the Preferences page by clicking the link in the upper right corner
  3. Select the Security tab
  4. To get started, click on the pencil icon to turn it on
  5. Follow the on-screen instructions

Two-step without notes

If you’re adding your account to a desktop or mobile mail program with our two-step verification feature enabled, you'll need to enter some additional information into the Password field in the mail program. You can read about how to do this in our help article.

2. Create unique passphrases for every account

When you have a ton of accounts to keep track of, it’s tempting to use the same password, or variations of the same password for multiple accounts. This is one of the easiest ways to get your account hacked. You should secure every account you have with a unique, strong password or passphrase. Of these two, a passphrase between three and five words is best. Passphrases can be easier to remember than passwords, but they must be entered accurately, so it’s a good idea to leave out extraneous words. For example, “flying lost basketball” is easier to enter accurately than “the flying basketball is lost.”

Be sure to note if you capitalize the first letter or not. And never reuse a passphrase or password. Even if you use a passphrase that’s easy to remember, if you have more than a handful of accounts to keep track of, and most of us do, it’s a good idea to find a good password manager to keep track of them for you. If you’re not sure what you’re looking for, the best place to start is PC Mag’s list of the best password managers for 2021

3. Be watchful and spot phishing attempts before you get hooked

Phishing is when a cybercriminal impersonates a legitimate company to trick unsuspecting users into handing over personal information. Criminals use the information to log in to accounts and steal identities, money, confidential information, PHI, or anything else of value. 

The best thing you can do to protect yourself from falling victim to a phishing attempt is to educate yourself on what a phishing attempt looks like. 

Here are some signs of phishing:

  • Does the message seem unexpected or out of place? If you receive an email from your bank with an unusual request, don’t discount your instincts. If you weren’t expecting the email, it’s a good idea to investigate further before opening the attachment or clicking on the link.
  • Does the sending email address match who the sender claims to be? Keep in mind that this can be faked, and matching address and sender don’t necessarily mean a legitimate email, but if the address and sender don’t match, it’s most likely a scam. For example, an email from your bank should not come with a Gmail address.
  • Is the email awkwardly composed with poor grammar? If there are mistakes or if the wording sounds strange, that could be a sign of phishing. However, keep in mind that phishing attempts can be very nicely composed and professional. A perfect-looking email doesn’t mean you shouldn’t be cautious.
  • Does the email open with a generic greeting? Most legitimate organizations will address you by name. Anything else, such as “Greetings user” or “Dear Sir/Ma’am,” is a good sign that the message is not legitimate.

Instill these three good email habits to make sure you don’t accidentally fall victim to a phishing attempt:

  • Don’t click on links in emails unless they’re expected
  • Don’t open attachments unless they’re expected
  • Never send your credentials, such as passwords and credit card numbers through email 

If you’re in doubt about an email, go to the company’s website (don’t click on the website link in the email but navigate to the site on your own) and either enter your credentials there if you need to check your account, or call the customer service phone number and ask about the legitimacy of the email. This might seem like a lot of extra work, but if it saves you from the tremendous inconvenience of a data breach, it’s worth it.

4. Be careful when using public WiFi

How often do you work outside your office? At a coffee shop, perhaps, or while on a bus or train? Being able to work anywhere at any time using public WiFi is one of the great conveniences of the modern age. However, just because you can do it doesn’t mean you should. 

Did you know that when you’re using public WiFi that isn’t secure (you don’t have to log in with a password), anyone else on that network can eavesdrop on what you’re doing? This isn’t a problem if you’re catching up on your reading or conducting research, but it is a problem if you’re sending a client follow-up questions about their last session. 

When you’re using public WiFi you should conduct your business as if a stranger were looking over your shoulder. 

Does this mean you can never work in a coffee shop again? While it’s a good idea from a security standpoint to limit your work to your office, there will be occasions when you have to work somewhere else, and the security of the network might be questionable. In these situations, you can use a virtual private network (VPN) to secure your work. 

A VPN is a secure network you can take with you so you can conduct your business privately and anonymously anywhere you go, even when you’re using a public network. 

VPN services can range in price from free to around $13/month, depending on how many devices you use and the amount of data you need. Here are a few things to consider when choosing a VPN service:

  • Will you be able to use the VPN with multiple devices? 
  • Does it provide you with enough data to do your work? It’s best to find a service that offers a plan without data limits.
  • Look for a VPN service that offers the protocol OpenVPN instead of PPTP. OpenVPN provides better security and supports all the major operating systems.

If you need a starting point for finding a VPN service, check out PC Mag’s list of the best VPN services for 2021, which includes both free and subscription services. 

5. Update your software

You know those update notices you get when you turn on your computer, ready to start your day? Don’t ignore or put them off. Keeping your internet-connected devices up to date prevents infection from malware and ransomware that can take over your device and compromise your clients’ information. Consistently updating your software patches up vulnerabilities that can let in cybercriminals.

This is one of the easier actions on our list because, most likely, you can enable automatic updates or update notifications on your computer and devices. On your computer, you can do this by going to Settings > Update & Security if you use a PC or System Preferences > Software Updates if you use a Mac. You should also enable automatic updates on your web browser, which you can do in your browser’s preferences. 

6. Use encrypted email when sending sensitive information

When you use regular email to send messages, it’s like sending a postcard in the mail. Anyone can read it. Fortunately, most email services use TLS encryption, which encrypts an email message while it’s in transit. 

However, once the email arrives at its destination, it’s like a letter sitting in a letter tray. Anyone can pick it up and read it. 

That’s why, if you really want to secure your messages from everyone’s eyes but the intended recipient’s, it’s necessary to encrypt it both on its journey and once it has arrived. You can achieve this by using a form of encryption (such as OpenPGP) that uses keys. Simply put, only the intended recipient has the key to open the email. Think of it as sending a message in a locked box instead of a sealed envelope.

Not all information requires this level of security, but if you’re a healthcare practitioner, plenty of the information you send back and forth probably qualifies as protected health information (PHI) and needs to be encrypted as required by HIPAA.  

If you’re wondering if HIPAA applies to you, read our blog post Do you need to be HIPAA compliant?

Take a look at this list of items belonging to clients/patients. If you’re in the habit of sending any of these through email, you should be using an encrypted email service, such as Hushmail for Healthcare, that provides more than just TLS encryption. 

  1. Names (full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
  3. Dates (other than year) directly related to a client/patient
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal, and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number or characteristic

Educate yourself about cybersecurity

There’s much more to learn about cybersecurity, but these six actions are a good place to start for securing your practice. 

For more information about Cybersecurity Awareness Month and protecting your information online, visit StaySafeOnline. For more cybersecurity tips you can implement today, here’s a tip sheet from the National CyberSecurity Alliance: Own Your Role in Cybersecurity: Start with the Basics 

Need an encrypted email and web form service?

Sign up for Hushmail for Healthcare

National Cybersecurity Awareness Month is a good time to consider your practice’s online security and fix vulnerabilities. These six actions are a good place to start for securing your practice: 1) use two-step verification as an extra layer of security, 2) create unique passphrases for every account, 3) be watchful and spot phishing attempts before you get hooked, 4) be careful when using public WiFi, 5) update your software, and 6) use encrypted email when sending sensitive information.

Related posts:

Subscribe to our newsletter

...and we’ll send 6 tips to make sure your emails are truly HIPAA compliant straight to your inbox.