Did a tech click on a fake Facebook story?   Was it a doctor that viewed the wrong email? Did the office manager plugged in an infected USB flash drive or was it a cyber criminal hacking into your wifi?

For now, it doesn’t matter.  Your practice computers have been compromised and you and your staff is plunged into crisis mode.  Time to open your checkbook.  Getting back to normal is going to cost you a lot of time, energy and money.

If you don’t like that idea, here are some ways you can keep your systems safe:

For the Staff

  • Educate – Doctors and staff need to be reminded about IT security regularly.  It takes repetition to change behavior.
  • Emails – Don’t open suspect emails.  (We will provide some quick ways to detect suspicious emails)
  • Smartphones – Do not plug in smartphones into office computers or devices.  These are potential virus carriers. Use recharging blocks or power strips instead.
  • USB Memory sticks – Do not plug in USB memory sticks that have been used outside the office into practice computers or devices.
  • Websites – Do not visit non-work related websites.
  • Passwords – Use strong passwords, if strong passwords are too much of a challenge to remember, try using human friendly passwords by stringing along 3 words together with numbers and symbols in between
  • Lock screens – Manually lock the screen when leaving and use screensavers to lock computers.
  • Restrict access – Don’t allow non-employees use practice computers, for any reason.
  • Don’t share user accounts
  • Do not use personal emails for work.
  • Data – Destroy data with patient information when no longer needed.  Deleting them does not destroy the data, it only tells the computer that the space can be overwritten.

For the Center’s Head of Information Technology

  • Emails – Keep spam filters operational and filter suspect email addresses.
  • Virus scanners – keep them up to date and scanning daily.
  • System updates – keep them up to date and scanning daily, consider automatic updates.
  • Networks – use subnets to isolate critical systems from general use computers if possible.
  • Firewalls – close unnecessary ports.
  • User accounts – don’t share accounts, do not use administrator accounts unless you are working on IT infrastructure.
  • Screen savers – set screen lock to 1 minute but ask staff to manually lock the screen when leaving.
  • Internet usage – restrict websites that are not work related.
  • Restrict use of USB ports to be only accessible from an administrator account.
  • User accounts – don’t share them, have an administrator account that only the IT staff use for updating the system.
  • Backups – back up systems but make certain they can’t be easily removed.
  • Imaging devices – keep them updated, shield them or isolate them completely.
    Legacy devices that are connected to the internet need to be updated or shielded from attackers.
    (For ophthalmologists, these legacy systems include TopCon TRC 50, TopCon NW6, TopCon NW8, Heidelberg Spectralis, Heidelberg HRT, Heidelberg OTC, as well as Zeiss, Humphreys, and any other system that runs Windows XP or unpatched versions of Windows 7 and Windows 8)
  • Disposal – NEVER donate the hard drive in computers.  Erased or reformatted drives can still be read.
  • Data – Destroy documents with patient information.
  • Mobile devices – Secure corporate laptops and mobile devices with a “kill switch” that will erase all information if it is stolen.
  • Insurance – Consider getting insurance that covers cyber attacks.
  • Plans – Have a disaster recovery plan, create a response team as well as a public relations plan.
  • Policies – Create IT security policies and make all employees sign it