Are you practicing proper cyber hygiene?

Protecting our information security is also a patient safety issue. Here’s your checklist.

Published on October 14, 2022

ITS security analyst

Share:

We all know that personal hygiene and preventive health measures such as clean hands and regular vaccinations promote strength and wellbeing for ourselves and others. We also know that ignoring such practices puts our patients at risk.

And so it is with cybersecurity hygiene. An employee’s daily attention to secure computer use fortifies Asante’s critical IT systems from cybercriminals who have demonstrated their ability to compromise and “crash” critical hospital computer systems — which also puts our patients at risk.

Each time you fail to log off of Epic, use a weak password, plug a personal USB device into an Asante computer or just forget to vet an email properly you are exhibiting poor cyber hygiene.

Such practices have caused patient-critical systems to crash or be usurped by criminals. When system data are stolen for sale or espionage, it results in patient privacy or financial loss. Ultimately, the consequences of a cybersecurity neglect and breach may include government fines, legal liability, reparation costs and damage to Asante’s reputation.

All Asante employees and medical staff are responsible for practicing good cyber hygiene as a routine part of patient care. To make this simple, ITS Security has developed an “Cyber Hygiene Employee Checklist.” It helps everyone stay clean of cyber security events and the damage they cause.

CYBER HYGIENE EMPLOYEE CHECKLIST

If it is electronic and used for Asante business and unprotected, don’t wait for someone else to secure it.
Need some guidance? Refer to the Asante Security Policy or call the ITS Service Desk.
Don’t print sensitive data and leave it all alone.
Retain, archive, delete or dispose of Asante systems and data according to Asante policy.

Only login to an Asante system as yourself, not with a “shared” ID.
Notify ITS if you are aware of systems which can be accessed via a shared ID, so that a more secure login method may be implemented if possible. Shared IDs are not compliant with HIPAA security practices since individual accountability cannot be traced to the shared login.

Cybercriminals can crack simple passwords in seconds or minutes.
Using strong passwords with or without Duo is an absolute requirement for employees. Duo multifactor authentication is the most secure system access method.
Avoid using the same password for different systems or accounts.
Make your passwords at least 12 characters long (and ideally longer).
Use a mix of upper- and lowercase letters plus symbols and numbers.
Use a passphrase instead! For example, B0z0 tamed 3 cats! / Be @ the Bar at 5.
Avoid the obvious, such as using sequential numbers (“1234”) or guessable personal information such as family member’s date of birth or a pet’s name.
Change default passwords on vendor-provided devices.
Never write passwords down or share them with others; instead use a password manager to help generate, store and manage passwords in one secure online account.

Leave a blank or locked screen behind you when you get up.
Gently remind busy coworkers to do the same.
Stick a Post-it reminder to the screen if you need to.

Assume all email is evil. Vet email before clicking on any links or opening any attachment. Refer to Asante phishing training in ALEC/HealthStream.
An email that triggers fear, anxiety, greed or excessive curiosity is probably a phish.
Help Asante by clicking the “Suspicious Email” or “Report a Phish” button visible on the email or Outlook controls ribbon whenever you think you may have a phish email.
Expect — and don’t fall for — text message phish fraud, known as smishing (from term SMS, a form of texting), which include clickable links and attachments.
Don’t be surprised if you receive a vishing attempt since you work for Asante, a very attractive target for cybercriminals. A vish is a phone call from a criminal posing as reputable or familiar person or firm who asks for system passwords and other sensitive information. Note the date, time and phone number and do not provide any information to the caller.

If the electronic device is not owned or inventoried by ITS, it should not be connected to an Asante device or network without ITS approval.
Keep Alexa and other smart assistant devices from “listening” to Asante patient care and business conversations. Remove them from Asante locations.
Use only Asante-approved encrypted storage devices (thumb drives) when Asante data cannot be stored on a data center server.
Make sure that personal, vendor or contractor laptops only connect to the Asante Guest network; no other Asante network is safe without ITS approval.

Browse the Internet as if your mother or boss were watching.
Avoid non-work-related sites (social media, entertainment, small retailers and political commentary, etc.), which are likely to draw phishermen and malware.
Don’t click on ads that promise free money, prizes or discounts.
There is no delete key on the internet! Be mindful of what you post on the internet while at work. You are representing Asante.
Pay attention. When using Google or other search engines, notice the source address of the site you want to choose before you click the link. Is it Amazon.com or Amazons.com? Guess which address may download malware.

Don’t take a chance. Downloading unexpected or untested software onto an Asante computer can have surprising consequences, including computer malfunction, infection and security breach.
Always obtain ITS approval before downloading software to a company computer.

Notice when non-employee, third-party vendors, contractors and business partners access Asante systems, whether on-site or remotely.
Ask the third party what cybersecurity measures it has for its electronic products and services.
Notify ITS if it appears that third-party security controls may be missing (e.g., use of shared ID or passwords, unmonitored or remote open access to our systems and network. ITS will review the third party’s access requirements and work together with our staff and the third party to improve security, as needed.
Call the ITS Service Desk if a third party has questions or comments about cybersecurity and how Asante can work with them to secure all involved.

Take note that a critical piece of Asante’s security defense is employee observations, questions, requests for help and reports of suspicious system or human activity.
Immediately call the ITS Service Desk to report system or human suspicious activity, or whenever you have cybersecurity questions or concerns. The ITS Service Desk has a direct line of communication to the Security Team and all ITS workgroups and will route your call accordingly if they cannot help you.
ITS and the Security team are asking you to maintain good cyber hygiene to protect Asante, and yourself, from cybercrime and the damage it causes.

Download the checklist

Cybersecurity Awareness Month

In 2004, Congress declared October as Cybersecurity Awareness Month (although it’s practiced every day at Asante). This year, the challenge is to “See yourself in cyber”: