For over a decade, the U.S. has observed National Cybersecurity Awareness Month in October. This year might feel a little different to some of us, however, because so much of our personal and work lives is online due to the pandemic. Before this year, October might have inspired a few quick checks to make sure your accounts were secured with unique passwords and two-step verification was implemented where needed.
This year, cybersecurity requires a little more thought. You might be asking yourself some important questions:
- How secure is my teletherapy platform?
- Are the web forms I’m using with my clients as secure as they need to be?
- With practically all of my practice online, where are the vulnerabilities?
You spent the summer getting your practice to run smoothly online. Now it’s time to conduct a thorough risk assessment to ensure it’s secure. Even if you’ve conducted a risk assessment in the past, it’s a good idea to review and update it if you’ve been called upon to make changes to your practice in the last six months.
How to conduct a risk assessment
Conducting a risk assessment might sound a little intimidating. As a small healthcare practice, you don’t have a separate IT department that can devote its time to assessing your risk. There’s no need to worry. Risk assessment is something you can do on your own at a level that’s comfortable for you. While HIPAA requires risk assessment, it is simply a best practice. Once you make it a regular part of your practice, you’ll wonder what you ever did without it.
So, where do you start? Risk assessment encompasses both your virtual and physical practice. However, for the purpose of this blog post, we’ll focus on your virtual practice.
Analyze your assets
Start by taking an inventory of your assets. This includes data that you store online, such as client information, session notes, emails, and web forms. Make a comprehensive list of what could be lost, stolen, or compromised in any way. Understanding what your digital assets are and knowing where they’re located will help you decide where your weaknesses are, what you need to protect, and what parts of your practice need to be strengthened.
Imagine the impacts
The next step is to imagine the consequences if any of these assets are compromised. What if you can’t access your client records or there’s a data breach and your clients’ sensitive information is exposed—how would your practice be affected? Would you lose clients? Would your reputation and ability to attract new clients be compromised? Would you lose revenue? How much? How long would it take to re-establish trust with your clients? These are scary questions, but by understanding the impacts of data breaches or loss, you’ll be able to prioritize where to invest in securing your systems.
Mitigate your risk
Now consider how those breaches or losses could happen. How might hackers infiltrate your digital information? Are there weaknesses in the way you, your staff, or third-party services access your systems? If so, how can you protect those areas?
If your passwords are weak or if you’ve been using duplicate passwords (a definite security no-no), that’s an easy fix. If you need help better managing your passwords, read our blog post How to choose a password manager.
If you realize you don’t have much of a security policy, take the time to write out a clear policy detailing what you’ll do on a consistent basis to protect your practice’s information. It doesn’t have to be fancy. Just get it down in writing and make it easily accessible so you can refer back to it when you need to.
If you haven’t been backing up your data, there’s no time like the present to start. If you use a practice management system, most likely it backs up your data for you. Check and make sure. If you don’t use a management system, are you backing up your information on a cloud service? If so, make sure it’s secure and HIPAA-compliant (ask for a signed BAA).
Once you know what your most important assets are, their value, and where they’re vulnerable, you can take the sensible steps that will help protect them.
Risk assessment example
Consider an example of a small counseling practice consisting of three practitioners and an office manager. Here’s what their risk assessment might look like:
- First, they look at their assets, noting a variety of digital items. They quickly determine that their clients’ personal information is the most essential for their practice.
- Next, they consider the consequences of a loss or damage to their key asset and determine that it includes embarrassment, a serious hit to their reputation, legal liability, HIPAA fines, and loss of current and potential future clients. In other words, it would have a major financial impact with potentially disastrous long-term consequences.
- Then, they consider potential threats by analyzing how they manage access to their sensitive client information. All three practitioners and the office manager have access to files on the network, where all the client data is stored, and the network has weak password protection. The practitioners and office manager made their own passwords, and some of them are very basic and used for multiple services across the web, further increasing the likelihood of a breach.
- Finally, they take action, starting by securing their clients’ information in a part of their network with password-protected access that’s tightly controlled and only accessible by those who absolutely need it. They also adjust their password policy to require the use of a password manager that generates strong, unique passwords.
Though the counseling practice had many other assets to consider, they focused on their clients’ personal information, since it was the most important to their business and the other assets were adequately secured. Rather than spread themselves thin worrying about every single asset, they zeroed in on the one that mattered most and took steps to secure it.
Sign up to receive our risk assessment guide
Our risk assessment guide will hold your hand through the steps of conducting a risk assessment for your practice. Learn more about analyzing your assets, imagining the impacts, and mitigating your risk. Then, go through the steps one by one, and by the end of the guide you'll have conducted your risk assessment for the year.
National Cybersecurity Awareness Month is a good time to conduct a thorough risk assessment to ensure your practice is secure. Even if you’ve conducted a risk assessment in the past, it’s a good idea to review and update it if you’ve been called upon to make changes to your practice in the last six months. While HIPAA requires risk assessment, it is simply a best practice. Once you make it a regular part of your practice, you’ll wonder what you ever did without it.