In your OD practice, you likely have implemented strong HIPAA-compliant procedures to protect your patients’ sensitive health information. But what about the security of other sensitive information beyond your practice management system? For example, are you confident that cybersecurity controls in your bookkeeping and accounting operations are effective?

In this article, I’ll address five key cybersecurity steps to protect your financial operations and help against the prevalent threat of payment fraud.

In your OD practice, you likely have implemented strong HIPAA-compliant procedures to protect your patients’ sensitive health information. But what about the security of other sensitive information beyond your practice management system? For example, are you confident that cybersecurity controls in your bookkeeping and accounting operations are effective?

In this article, I’ll address five key cybersecurity steps to protect your financial operations and help against the prevalent threat of payment fraud.

Your Practice is Susceptible to Fraud!

If you think that only large corporations are vulnerable to attacks, think again. According to Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses sponsored by Keeper Security, small businesses increasingly face the same cybersecurity risks as larger companies, yet only 28% of those surveyed feel they’re highly effective in mitigating those threats, vulnerabilities, and attacks. Click here to download the report.

According to the Ponenom report, most businesses surveyed experienced a cyber attack or data breach with severe financial consequences. Phishing/social engineering was the number one type of attack experienced, followed by web-based attacks and general malware.

Imagine a scenario where payment data from your practice or your patients’ is compromised. I’m guessing you’ve already got a full workload as it is – so preventing issues in the first place is the way to go, since not only will you be protecting your brand but you’ll also avoid the heart-ache and financial pain of the remediation process in the event your financial data is compromised.

As the owner of an OD practice, manage your risk of payment fraud by taking these 5 key steps:

Train your staff

Business Email Compromise (BEC) schemes are now common events. According to a Symantic Internet Security Threat Report, “In 2018 employees of small organizations were more likely to be hit by email threats – including spam, phishing, and email malware – than those in large organizations.” BEC schemes include fraudsters impersonating an employee, supervisor or existing vendor and requesting that payments be made to a fake bank account.

To prevent BEC schemes from occurring in your office, raise staff awareness about the common schemes that can occur. Regular reminders are a must since it’s common for busy colleagues (including you) who are in the midst of their hectic daily schedules to inadvertently open up questionable email attachments or haphazardly respond to questionable email requests. So, instill in your team a healthy dose of skepticism when it comes to payments requests.

When a suspect payment request arises, everyone in your office should know the proper protocols. This includes how to correctly follow-up to validate the questionable request. You wouldn’t want your bookkeeper to just contact the purported vendor by calling back the phone number on the email in question, right? Don’t assume everyone knows what to do, so be very specific on how to verify the validity of a request and the appropriate bank account instructions to avoid leaving anything up to chance. And don’t forget to train your part-time and temporary staff too.

Implement bill approval processes

Having a second set of eyes involved in reviewing and approving requests for payment is another type of control used by many companies. To facilitate an efficient process, you can establish a dollar limit for approvals, so that anything over a certain amount needs a second review and approval. Using a cloud-based payment app like Bill.com can facilitate your payments and the approval workflow.

Use Positive Pay

Positive Pay is a service offered by banks in which the bank verifies that the checks presented for payment match the list of checks you’ve issued. The bank performs this double check prior to payment, to make sure the information matches. If there’s a mismatch, the bank alerts you before any funds are issued, so you prevent losses from check fraud.

Strengthen your Bring Your Own Device (BYOD) practices

Do you allow your staff or contractors to use personal devices to access your practice’s data and conduct work? According to a Keeper Security article hackers take the path of least resistance, which is often times employee-owned mobile devices. Therefore, you need strong cybersecurity policies for personal devices if you’ve decided to allow employees to use them for work. Make sure employees protect the physical security of their devices and maintain the latest version of software (to keep security updates current). Enforce limitations on what can be accessed on them and require that the data be encrypted on these devices. Strong password controls should be implemented for both work and personal devices.

Check in with your outside bookkeeping and accounting firm

If you use an outside firm/person to do your bookkeeping and accounting, be sure to have a robust discussion with them to gauge the firm’s commitment to protecting the security and privacy of your information. Get comfortable that your outsourced firm is committed to strong security measures. They should have a formal security policy that includes strong technology safeguards for prevention, monitoring, detection and encryption, controlled access, ongoing employee security awareness training, and back up and maintenance procedures. If you use a web-based system(s) to conduct your bookkeeping and accounting operations (think QuickBooks Online, Bill.com, or the various Payroll service providers out there), then typically, most providers of such services undergo stringent security procedures or SAS70 Type II audits that test their data center’s level of security.

Need Help?

If you have questions and/or would like to pursue other actionable steps to ensure your OD practice’s continued success, please reach out to me, I’ll be happy to talk with you. Orin Schepps, Founder and CEO @consultanceaccounting  http://www.consultancellc.com


Sources:

Ponemon Institute. “2018 State of Cybersecurity in Small & Medium Size Businesses.” Keeper Security, 2018. https://start.keeper.io/2018-ponemon-report

Symantic. “ISTR Internet Security Threat Report.” Symantic, February 2019. https://img03.en25.com/Web/Symantec/%7B1a7cfc98-319b-4b97-88a7-1306a3539445%7D_ISTR_24_2019_en.pdf

Keeper Security. “5 Cybersecurity Tips For Small and Medium Sized Businesses.” Keeper Security, 27 September 2016. https://keepersecurity.com/blog/2016/09/27/5-quick-cybersecurity-tips-for-small-businesses/

Bill.com. “Protecting Yourself From Business Email Compromise (BEC) Schemes.” Bill.com, 26 March 2019. https://support.bill.com/hc/en-us/articles/360015918451-Protecting-yourself-from-Business-Email-Compromise-BEC-schemes

MDL Technology, LLC. “Cybersecurity Tips for Accounting Firms in 2018.” MDL Technology, 8 January 2018. http://www.mdltechnology.com/cybersecurity-tips-accounting-firms-2018/