You may not typically give the idea of cybersecurity much thought—but when it comes to protecting yourself and your massage therapy business, the security of your data is something that requires your attention on a regular basis.
The Federal Trade Commission reports that about 9 million Americans per year have their identities stolen — and HIPAA Journal says that nearly 9.7 million health care records were compromised in September 2020 alone.
Hackers are out there, and you and your clients’ personal data are their target. In addition to passwords, credit card numbers and bank account information, criminals often harvest and sell personal details to scammers who have more sophisticated ways to use the information.
Here are 10 ways to reduce your cyber risks and keep your practice data safe.
1. Get Control of Your Devices
You are probably using some kind of electronic system to store your SOAP notes and other client records; in addition to its security features—and ensuring the software is HIPAA-compliant—make sure the computer on which you use it is physically secure. That means setting it to lock after a couple of minutes of non-use, and setting a password to unlock it so an unauthorized person can’t walk over and read private information on the screen, Steven J. Hausman, PhD, president of Hausman Technology Presentations, told MASSAGE Magazine.
“Don’t leave your computers open and unattended, [and] make sure the computers are behind desks,” he suggested. If you use tablets for your SOAP notes or other business activities, don’t leave them lying around.
You should also, Hausman added, limit the number of employees who have access to a work computer. If they don’t need access in order to do their job, don’t grant it.
2. Separate Business from Personal
It’s best to conduct business using a different computer than your personal computer. This may be challenging given the fact that so many people started working from home during the pandemic, but it’s still considered a best practice to keep the two separate. That way if one of your machines is hacked into, the other is still secure.
3. Be Aware of Phishing
You’ve undoubtedly seen phishing emails before, where you get an email that looks like it’s from Microsoft, telling you there’s a problem with your account; then if you click the link and enter your account password, you end up giving access to whoever sent the email. Phishers usually send these emails to huge lists and hope a few people are tricked into giving up their information.
Check the sender of an email, suggests Hausman, by hovering your mouse over the “from” line in the email, which should reveal the real email. If you’re still not sure, it’s best not to click links in any email that seems even a little suspicious.
“Never type in your credentials off a link,” said Chris Jordan, CEO of Fluency Security Corp. “That’s how a lot of identity is being stolen today.”
The most common technique today, Jordan says, is spear phishing, which employs the same concept as phishing but uses bits of your known personal information to target you, specifically. This can happen easily if you befriend a person on Facebook you don’t know (or, a fake profile of someone you do know) and they use information from your profile to scam you.
In one classic example, a scammer finds out someone is on an overseas trip based on information in their profile, then contacts the person’s relatives asking them to wire emergency cash.
What’s an easy way someone’s Facebook profile can get hacked? See #4 below.
4. Don’t Reuse Passwords
Once you’ve used a password on a site, don’t use it on another site. Why? If the site you’ve used a certain password on is hacked, the hacker can potentially use it to get into your accounts on other sites.
Jordan recommends using password management software such as LastPass or OnePass; these programs generate a random string of characters as a password for each site you visit and store it securely, while you use a master password to gain access.
5. Password-protect WiFi, Too
“If you have a WiFi network in your office, you want to make sure that’s encrypted and you have a high security password,” said Hausman. “Don’t use ‘1234’ as a password or ‘password1’… those things take about two microseconds to discover, to be hacked.”
6. Use two-factor authentication.
If a program offers two-factor authentication—where you type in a password, which then sends a code “key” to your phone or email, and then you enter that code—use it, say experts.
“I would recommend two-factor authentication for everything,” said Hausman.
However, two-factor isn’t 100% foolproof. “There are weaknesses to it,” said Jordan. “People can spoof emails and stuff like that, and spoof phone calls to trick you into giving up your key.”
As long as you always keep your key secure and use a strong password, two-factor authentication is a great way to tighten security, and many companies have adopted it. It’s a great feature to look for when you shop around for business software.
7. Back Up Your Files
Backing up your files is a good business (and personal) practice in case of a computer crash or someone swipes your laptop. It’s also an anti-scam tactic.
In a ransomware attack, scammers infect your computer with malware to “lock” your system and all your files, then send you a message that you can only get them unlocked by paying a hefty fee. The solution? Back up your files, and do it regularly. That way you can restore your files without having to pay the ransom.
“It’s important to have multiple copies of backups, and keep them in separate locations,” says Hausman. “Offsite can be a physical location or in the Cloud.”
8. What About Antivirus Software?
Use it. Basic (paid) antivirus software should be installed on all your computers and devices. More expensive versions may be preferable for your business devices, not because the level of protection is necessarily better, said Jordan, but because the pricier versions may include services like endpoint detection and response (EDR). EDR allows management of multiple endpoints—computers in your network—which is useful if you have multiple devices in use for your business.
The detection and response part of EDR kicks in when there is a problem on your network, said Jordan. If a computer on your network is visiting pornography websites or downloading unsafe files—which can happen if, for example, an employee lets their child use their work computer and they download games—the EDR detects the unusual activity and alerts you.
It allows you to know when “there’s unsafe practices going on, but at the same time, it’s giving all this vision into that endpoint device.” If you use such software, Jordan recommends giving all your employees a document to sign acknowledging that they understand their activities on their work devices are not private.
9. Choose Your Software Carefully
When you’re shopping around for software to manage your massage practice, you have many factors to consider. Some, such as HIPAA compliance and two-factor authentication, we’ve already discussed.
Hausman suggests asking if the software is custom-made for your business, or if it is a standard program that can be modified for you. “If it’s custom-made, you have to make sure you know the capabilities of the people who are producing that software,” he said. “Do they have a compliance statement on there? Are they willing to guarantee that it’s HIPAA compliant?
“Typically,” he added, “the stuff off the shelf with minor modifications is usually a little better designed, because [the developers] have more experience with it.”
Other security-related questions to ask:
• Does it support multiple users with individual profiles? How does it manage those profiles? Is there two-factor authentication?
• Does it require users to create appropriately complex passwords?
• How are password changes handled? Are you required to change your password every so often?
• Is the website secure? (It should start with https, not just http.)
• Are all transactions encrypted?
• Does the system keep track of logins and activities?
• How often are records backed up? Where are they backed up?
10. Tell Your Clients
Once you have taken the steps necessary to create cybersecurity for your practice, inform your customers.
“Your clients—you care for them. Let them know,” said Jordan. “Put it on your website: ‘We do all these things to protect you. We care about your privacy.’ Customers care whether you treat their data well, and it generates loyalty. Good security lets a company grow.”
Allison M. Payne is a freelance writer and editor based in Central Florida. Her recent articles for MASSAGE Magazine include “Claim Your Google My Business Page to Get Free Publicity for Your Practice” and “Paperless Practice Management is Easier to Set Up Than You Might Think.”