Creating a Human Firewall in Your Practice
By Gracie Hogue, BM
Not sure what the term “Human Firewall” means? A lot of people don’t. But as the idea and practice of a human firewall gains more and more recognition and effectiveness, now is a great time to implement this in your practice.
Basically, a human firewall is a team of employees (all of them) within a business that commit to following practices to prevent and/or report suspicious online activity such as phishing emails, ransomware, data breaches, or anything that looks questionable in terms of the practice’s online security. This means that the entire team is trained in keeping the network secure.
Stats show that most successful attacks on business networks are due to negligence of employees in some shape or form. You can have tons of software protection and a good IT company, but if something malicious somehow gets through and an employee unknowingly opens a file carrying a virus or a malware link, that software protection isn’t going to help you much. So it’s obviously very important to train your employees to have a sharp eye for suspicious activity that gets through. Everyone knows that undue stress is zero fun.
Where to start?
First off, have policies in place that people actually understand and follow, not just typed up in a manual and on a bookshelf never to see the light of day again. Policies don’t do you much good unless they’re followed. Those policies need to cover 2-factor authentication, passwords, emails, handling of ePHI, company-issued devices, and more.
To make all this education easier to swallow for your team, you can make each week about a different training subject or learning focus on strengthening potential and apparent weaknesses in the practice. For example, discuss for five minutes about how delaying software updates leaves holes in your system, or what a phishing email looks like as compared to a normal email, or why sharing passwords is a horrible idea. You could even use something like a phishing simulation program: https://www.infosecinstitute.com/iq/ or https://www.mimecast.com/content/phishing-simulation/ . The idea is for the team to feel personally invested in the security of the practice.
That being said, you could even make fun incentives for the team with a reward at the end of the month going to the person who caught that phishing email, or the person who made extra effort to learn more and familiarize themselves with the office’s software. A cash prize or a gift certificate to a favorite restaurant would be great ideas.
Keeping your practice, your money, your employees, and your patients safe is a team effort. Consider putting together a human firewall so you have a better chance at having a happy and healthy practice.