How to protect your data (and your clients’): Tips from the tech team

Every year, providers take refresher trainings on protected health information (PHI) and the HIPAA Privacy Rule. Yet when it comes to our own daily, digital lives, people underestimate how entangled our personal, virtual data is with our professional spheres, much as we try to keep them separate. 

We spoke with Aaron Friedus, UpLift’s Vice President of Engineering, to get tips about what to consider to protect your clients’ data as you build your virtual practice. 

Is your online security up to standard?

You already know that you shouldn’t share account information of any sort when it comes to any of your professional tools. After all, many of these accounts access PHI that can put people (and entities) at risk. 

This level of security matters for your personal accounts, too, especially if any of your accounts or names overlap with your professional ones. Besides someone finding all your embarrassing secrets or emptying your bank account, overlap in your accounts can lead to someone gaining access to PHI. 

Here are some reminders about securing your accounts. 

Don’t share your passwords

“It’s simple and straightforward, but still important to remember,” says Friedus. Be wary with whom you share any account information. Negligence can be as dangerous as malice when it comes to letting people into any of your accounts. 

Like many people, maybe you like to stream media in your spare time and you’re on a group plan. If that’s the case, be mindful of how you set up your login information, such as password security. 

Don’t reuse passwords

When you create or update an account for a service, use different passwords. “If your login information for an account gets compromised, different passwords mean a cyber attacker can’t use the same information to get into another one of your accounts,” says Friedus. “Whether that’s your email, your online banking, maybe your CAQH or anything you use for your virtual practice—have a unique password for everything.”

If you have a hard time coming up with new, unique passwords each time, there are many password generators that can help you. 

Don’t give access to your computer (and devices) to other people

Often, our devices store our login information in browsers or on our systems. Try not to let other people use devices that can get into accounts that are connected to any PHI, especially people you’ve never met in-person. 

Set up 2-factor authentication

“If you can, don’t make logging into your account just a single step,” says Friedus. Use two-factor authentication, also known as 2FA, which means that it takes two forms (or more, for multi-factor authentication) of identification to get into your account. 

An example of this might be a service that asks for your password then asks you to confirm that you were the one logging in through a different device or application. Another example is when you put in a password to log in then need a code that was sent to you via text, email, or an authentication app. 

“Though some forms are more secure than others,” explains Friedus, “any form of 2FA is better than none. Authenticator apps are the most secure but email or text still works.”

Think of your digital surface area

How many accounts do you have? Now how many of those accounts are linked to another one? 

This line of thinking can protect you and your clients from cyber attacks. In the world of cybersecurity, an attack surface is “the entire area of an organization or system that is susceptible to hacking. It’s made up of all the points of access that an unauthorized person could use to enter the system.”

For people who work with PHI, Friedus suggests thinking of your online surface area as a whole and to ask yourself, “How much deals with patient data?” 

That likely starts with your emails and protecting it, using some of the methods mentioned above. Next steps would be to inventory all of your systems that contain patient or clinical data. This list serves as a start, but there may be more depending on your role: 

• Emails
• Calendars
• Address books
• Payment systems
• Vendors

Watch out for phishing scams

Phishing is a common type of scam where someone tries to get your data through some form of communication (text, email, direct messages, phone calls, etc.) to access your information. 

Cyber attackers have gotten sophisticated in their methods: They could try to get you to download a software. They may pretend to be a company you use asking for more information. They may pretend to be authorities. They may even pretend to be someone you know. 

“It’s so easy today for scammers to impersonate someone you trust,” says Friedus. “You’ll get emails from someone pretending to be someone in your organization or your own family members. It’s important to double check the email address someone is contacting you from, even triple check, because sometimes they do a really good job of imitating the actual business’s info.”

What should you do if you suspect your security has been compromised?

If you suspect that someone has gotten access to your data—and your client’s data—here’s where you could start. This isn’t an exhaustive list of what you’ll need to do but can get you moving fast to contain cyber attacks: 

1. Change all your passwords. Create fresh passwords on a computer that hasn’t been compromised. 
2. Freeze your credit. If you suspect someone got your personal financial information, report it to the three credit bureaus. 
3. Report the cyber attack to the authorities. The US Department of Health and Human Services put together a guide and checklists for HIPAA-covered entities and businesses that need to report a breach in cyber security. If you’ve been the victim of a cybercrime, you may also want to file a complaint with the Internet Crime Complaint Center (IC3).