Let’s talk about your EHR needs: 1.800.383.6278  

Friday September 16, 2016  |  William Crank, Senior Director/CISO Network & Security at MEDHOST

Best Practices for Healthcare Information Security

best practices for healthcare information-security-image

Today's cyber criminals aren't disorganized, disgruntled individuals who act alone. Now there are entire operations devoted to running healthcare phishing, malware, and ransomware scams to get past your information security system and infiltrate your healthcare data. Not only do these cyber criminals have concrete business models. Also, they have the resources to perform cost-benefit analyses that determine if it's worth the money to access your data. Fortunately, if your security is tight, there's a good chance that hackers will leave your information alone because they don't want to waste resources trying—and hopefully failing—to access your system.

However, if your information isn't secure or your employees aren't in the practice of analyzing emails before they click suspicious links, your organization (as well as patient care data) could be at risk.

Phishing Emails, Ransomware, and Malware

In recent years, stories about healthcare organizations suffering from security problems have flooded the news. Phishing emails, ransomware, and malware have plagued businesses as unknowing employees click suspicious links and accidentally give hackers access to important data.

When you hear the term "phishing emails," this basically describes messages. Especially, that look for people's credentials or drop a piece of malware or ransomware into a person's PC. Malware is software intended to disable computer systems, while ransomware is designed to block access to a computer system until money is paid to get your information back. Once these malicious programs are on an employee's computer, it's likely that cyber criminals can get a hold of important data or infrastructure information.

Unfortunately, phishing scams are on the rise. The Anti-Phishing Working Group (APWG) has observed an uptick in phishing attacks in the first quarter of 2016. According to APWG's Phishing Activities Trends Reportthe number of unique phishing websites is at a record high of 289,371.

Best Practices for Keeping Health Information Secure

While all MEDHOST products are developed with security in mind, there are extra precautions all health organizations can take to stay better protected:

  1. Instill a "think before you act" mindset.

    Provide education and hands-on training to help employees get in the habit of analyzing emails before they click any links. It's likely that if one person in your organization gets a suspicious email, that same email is sitting in the inboxes of dozens of other people. It only takes one click to infiltrate your data.

  2. Report a suspicious email right away.

    Make sure your team is willing to report suspicious messages immediately. As soon as one get reports, your security team can jump into action to block the domain and any outbound connections.

  3. Use endpoint protection and keep it updated.

    Regularly updated endpoint protection provides security for company servers and workstations.

  4. Scan in real time.

    This is one of the best methods for protecting against hackers. Several tools are available to scan incoming messages in real time and filter as many suspicious messages as possible.

  5. Have a good backup strategy.

    This is one of the most important actions you can take. If you don't have good backup data, you're at the mercy of cyber criminals. When your data actually updated and safe, you don't have to pay criminals to decrypt your information and get your data back. Without a good strategy, you're in the unfortunate position of being exactly where they want you. Especially if your data is critical to patient care.

MEDHOST takes security seriously by implementing controls in the development of our products. Our Meaningful Use certifications* show that we perform security testing regularly to help keep your information as safe as possible.

For a review of the EHR certifications and accompanying "Cost and Limitations", visit

You may also be interested in: