Dr. Mark S. Sanchez offers practical steps to keeping your private and professional information from the ne’er-do-wells.
“You’ve just been infected. Send $500 within 72 hours, or we’ll wipe your computers.” That was the message one office administrator read after clicking on the icon that was supposed to provide her with information on how to run her office more efficiently. So what did she do? More importantly, what would you do?
Unfortunately for the medical doctor’s office in Macon, Georgia, the administrator rebooted her computer thinking that would solve the issue and didn’t mention the incident to anyone. Not at first. Not even at a time when the ransomware Trojan, Cryptolocker, was playing a starring role in world news. And, days later, the practice started to notice things going awry. Schedules wiped. Files corrupted. Computers acting funny. True to their threat, the ransomware Trojan that hijacked their computers was now wreaking havoc on their system. An emergency office meeting was held, and through the discussion, the administrator finally realized her error. She just didn’t know. It was an honest mistake. None of the data was stolen (whew!) but in the end, the mistake forced the practice to manually re-enter 3 months’ worth of office notes, which increased labor costs by a quarter that year.
So, what would you have done? Still don’t think about it much? Yikes! Well, it’s OK that I do, and that’s why I wrote this article — to help you keep your valuable information from the destructive ways of those hackers, thieves, and no-good pilferers of the world.
I know that people want convenience above all else. Incredibly, a third of smartphone users in the United States still don’t set up password security on their phones. According to Confident Technologies, 65% of users have corporate data on their phone, even though only 10% actually have a corporate-issued device. That’s pretty scary. Security measures are now an absolute must, especially if your patients’ precious information is in your hands. Thankfully, it doesn’t have to be all that daunting. Here are a few safety measures I require my staff to incorporate in my practice. And, I also encourage them to do the same in their personal online lives. This stuff is important.
Security rule No. 1: When in doubt, don’t click. Ever. When it comes to links and attachments in emails — even if it’s from someone you know and trust — resist temptation. Just give them a call to confirm they did indeed send it. And if it’s from your bank or other vendor, well, go ahead and check the safe way — by typing in the company’s website in your browser. Why the super-security measure here? Well, because websites can be faked when opened by email links.
Security rule No. 2: Open an online account the safe way. If the site lets you use a non-email address username, use a word or code that no one would guess. That way, you effectively have two passwords to double up on security.
Security rule No. 3: Give admin passwords for every computer. And make sure those passwords are at least 16 characters. To keep it memorable, try stringing together three or four words to create a phrase that’s not a common phrase or popular lyrics. Something like “Cats grace the dance floor” or something nonsensical but easy to remember.
Security rule No. 4: Accommodate guests with a separate WiFi access point. Prevent the accidental access to your practice and patient data with this very simple measure. An easy password like “MakeMeSmile” can add a little fun to the security measure, too.
Security rule No. 5: Limit laptop access. Grant few people on staff your admin access to laptops — I suggest just you and the office manager. For daily use by the rest of the staff, a non-admin account on each computer will work just fine.
Security rule No. 6: Think screensaver-as-security-measure. Set your screensaver to turn on after your computer has been idle for 5 minutes and to ask for a password once you’re ready to get back on again.
Security rule No. 7: Create a hotspot lock. Create a hotspot in your lower left corner that instantly activates your locked screensaver. So the moment you have to leave your computer unattended, just move the cursor to the lower left corner of the screen and — bam! — instant lockout.
Security rule No. 8: Never store your PIN. Never. Don’t store credit card numbers or PINs to bank accounts anywhere on your computer. Nowhere. Really. Don’t do this. Thieves are very clever and will find the information.
Security rule No. 9: Don’t be so obvious. Forget your password a lot? I do, too. To reset your password, many sites send you emails to reset information. They try to be secure but, really, firstname.lastname@example.org is pretty easy to guess. So I set up a special email that serves as the only avenue to retrieve my passwords via email should I forget. I never use it for anything else and, of course, I use a name that is not easily deduced. For example: CatsGraceTheDanceFloor@gmail.com becomes email@example.com.
Security rule No. 10: Use proven security-enhancing tools. I really like the password generator called 1Password because it keeps all the important information encrypted and secure. Even better, it helps me manage all the different usernames and passwords for every online account I have. That’s something to think about for your own accounts.
Just think of it this way: You need to protect your house and safeguard it against thieves in the physical world. A sign that says you have an alarm is usually enough to discourage a thief, so he moves on to the next house. So you get an alarm to go with the sign as well as a giant Doberman pinscher named “Killer,” and chances are you’re going to be just fine. The same concept applies in the virtual world.
By now, you can tell I’m a bit obsessed with security. That’s why I made sure that topsOrtho™ software has built-in, thief-foiling measures, too. I know, shameless plug, but since you’ve read this far, here’s what we’re doing for orthodontist offices: We started with a Mac-based software system, so topsOrtho is just inherently more secure than its PC-based counterparts. To augment safeguarding measures, we added an increasingly long wait between each misguided password entered into the topsOrtho log-in window. Each incorrect passcode that is entered results in an increased delay before topsOrtho will accept another passcode attempt. This is to slow down the ne’er-do-wells who might use an automated passcode entry tool to try and guess your password. The delay time increases exponentially with each incorrect entry, so that only a small number of attempts can be made. That’s just one of many security measures we included in our software. Of course, we’re always looking to add more.
There are so many more discussions and tips on the topic of security but only so much space on the page. But if you’re interested, I talk a lot about security on social media, so if you want to keep abreast of the latest without doing the all that exhausting research yourself, you can follow me and topsOrtho on LinkedIn (tops Software), Facebook (facebook.com/@topsOrtho), and Twitter (@topsOrtho) for more on the subject.
Don’t let them win. Stay safe.