The sensitive nature of the information inherent to substance use and mental health provider organizations demands establishing strong safeguards to protect patient privacy. The best defense in cybersecurity remains user education that incorporates all staff in an organization, explains Matthew Prete, Sigmund Software’s chief product and information officer.
Behavioral health organizations should instill in all staff a healthy skepticism of any unexpected or suspicious electronic communication that comes their way, Prete says. “People get complacent — you have to have constant reminders,” he says. “There are people all over the place who want to take your money.”
Some of the routine practices that Prete advises organizations to implement could be described as time-consuming or even painful, but they are critical to mitigating the risk of a cybersecurity incident. “We get pushback,” he says. “We advise automatically disabling all accounts that haven’t logged in for 14 days. This tends to be a headache. But best practice should be to disable an account when someone is gone.”
Another red flag in organizations becomes clear when a staff member who is constantly asking IT for help is simply added to the administrative group that has expanded access to information, just to save time and trouble. Smart organizations keep access to a minimum, Prete advises, reducing the risk of breaches.
Perhaps the most important rule of thumb when it comes to cybersecurity involves always being proactive. Organizations should conduct a comprehensive risk assessment that identifies any potental weak points in their systems.
Prete says leadership also should conduct regular audits of whose records staff are accessing, and when. Patterns that show intensive activity on a particular day, or regarding a certain patient, should be identified and acted on if necessary.
Prete also emphasizes the importance of establishing in advance a response plan for any security incident that might occur. “You don’t want to do this on the fly,” he says. “I highly recommend that organizations create a list of contacts, showing who will be the first, second, third call. Time is your enemy when you’re going through any type of security event.”
In our next blog we will share more tips on sound practices that behavioral health organizations can adopt in their everyday operations.