Cybersecurity tends to feel like someone else’s job. You’re busy keeping your practice running so your team can provide patient care. Nobody has time to fiddle with computer settings or take employee cybersecurity training over and over. Change passwords and set up two-factor authentication? Maybe next time. But for every single member of healthcare staff, cyber hygiene absolutely matters.
What is Cyber Hygiene?
If you’re running a dental practice, you probably have a very specific definition of hygiene that has very little to do with computers, but bear with us for a moment. Cyber hygiene is the set of everyday routines that employees can use to keep systems and data secure. These are easy, repeatable habits that have a huge impact on how well you can protect your practice against breaches and compliance violations.
Employee Cybersecurity Training 101
According to the Pew Research Center, 73% of American adults have been on the receiving end of an online scam. At the same time 71% of them say they know a fair amount about how to avoid falling for a scam or attack. Well, which is it? Do people know cyber hygiene or not? Most likely, they do know how to protect their data, but they’re cutting corners. Here’s how to help keep your practice safer.
Use Strong, Unique Passwords Everywhere
Using recycled passwords is one of the easiest ways for attackers to enter a system, and it has a frighteningly high success rate. Good cyber hygiene means using difficult-to-guess passwords, not sharing logins with other people (or with yourself on other accounts), using password managers instead of sticky notes, and using multi-factor authentication every time.
Recognize Phishing Emails and Report Them
These days, phishing attempts are not as easy to spot as an email from a prince asking to borrow your banking credentials. They make up 16% of data breaches, and they’re only getting progressively more complex, especially with AI. And because you handle so much sensitive information, health and dental practices are prime targets.
Instead of throwing your laptop into the sea and switching to paper charts, teach employees how to identify suspicious messages and avoid clicking anything that raises a red flag. It’s better to deal with a missed legitimate message than the fallout from a cybersecurity breach.
Promote Safe Device Use Every Day
Once your employees log in safely, avoid following sketchy links, and finish their day, they shouldn’t just walk away from open programs. Healthcare employees using shared workstations makes cyber hygiene a little tougher, but that much more important. Log out and lock screens when stepping away, even if it’s just for a minute. Prevent employees from logging in from unsecured wi-fi when working remotely.
Get Insight into Your Known Exploitable Vulnerabilities (KEVs)
Known exploitable vulnerabilities (KEVs) are weaknesses in software, hardware, applications, or systems that are being actively exploited by attackers. According to our partners at Black Talon Security, which provides advanced cybersecurity services to health and dental practices, KEVs represent a clear and present danger because they offer attackers a proven path to gain access to systems.
Your patch management solution must be able to detect known exploitable vulnerabilities and patch them on-demand. Ignoring known device vulnerabilities is asking for trouble. Attackers regularly scan for unpatched systems to exploit, so by keeping your hardware and software up-to-date (and decommissioning what cannot be secured), you eliminate many of the easiest opportunities for hackers to gain entry.
Own Your Executive Accountability
Aside from the obvious duty to protect patient privacy, strong cybersecurity is now a business imperative. In the past, business owners and leaders left these responsibilities to their IT departments, but the majority of IT resources can’t stay ahead of emerging threats creating even more risk. Without the proper expertise and independent oversight to perform ongoing audits of security it quickly becomes an operational, financial, and regulatory compliance issue. Like HR issues, the responsibility of cybersecurity ultimately ends up at the top.
Having full visibility to meaningful security metrics for the entire practice allows you to communicate the value of cybersecurity to executives and board members in business terms. Instead of vague statements, you can honestly say things like, “We blocked 500 spam/phishing emails last month and reduced our phishing click rate from 10% to 2%, preventing an estimated X incidents.” This helps in getting buy-in and budget for security initiatives. Metrics also highlight successes, which can reinforce good behaviors in the team.
How to Set Up HR Cybersecurity Policies
Cybersecurity incidents are on the rise, and they’re only getting more sophisticated as technology advances. That means that implementing an HR cybersecurity policy, not a one-time sign-off, but regular trainings that you put in writing and track for completion, can keep your practice safer.
Add Cyber Hygiene to Your Handbook
Unless you love answering the same questions over and over again, get a great employee handbook. It’s your first line of defense against common compliance complaints, and your employees can always look to the book for FAQs. To keep your data safer, include an explicit HR cybersecurity policy that describes what good cyber hygiene looks like and how to report a problem.
For example, a good cybersecurity policy for social media might prohibit using your practice’s computers for personal internet, making sure only authorized employees have access to passwords and social accounts, not saving passwords to computers, and so on.
Include It in Onboarding
Once you’ve established your policy, make it part of your new hire process. Define what is and is not acceptable for data handling, and set expectations for reporting anything suspicious. HR for Health’s self-onboarding puts all the paperwork in one place (not your desk!) so you’ll know newbies are completing all the documents they need.
Maintain Ongoing Compliance
Sitting through a single training session or zooming through a boring presentation doesn’t change behavior very much. The trick is to make cyber hygiene a visible, repeatable, enforceable policy. Once you’ve made the policy, track employee cybersecurity training completion and store certificates using HR for Health. Part of policy enforcement means setting consequences. You can use HR for Health to document any policy violations and create a trail of documentation.
Making It a Policy Makes It Real
No security program is a perfectly impenetrable fortress, but you can get a whole lot closer when you and your entire team have a good HR cybersecurity policy, and you actually follow it. That means no weak or recycled passwords, no leaving work devices unlocked and unsupervised, and no clicking suspicious links. It also means including cyber hygiene policies in your employee handbook and following through with regular training for ongoing compliance. Ready to build the employee handbook of your dreams? We’ll keep all the documentation in one secure place so you can rest easier. Grab a demo to see how HR for Health makes it happen.
