Running a startup is hard especially in a heavily regulated sector like MedTech and because of the nature of the industry and the types of data Medtech startups typically handle it’s even more important to do compliance the right way.
While you may be compliant with CQC and HIPAA what you may not be aware of is the risk to your companies data and below are a few things you can do today to help you resolve those issues.
1) Use a password manager, and make your team too
Remembering passwords has always been a hassle and traditionally the only solutions were;
- Using the same password everywhere
- Forgetting your password
- Writing your password down in an insecure location
All of the above solutions are incredibly insecure and present a risk to your organization especially if the passwords are the key to sensitive data that you’re liable for.
A far more secure way of storing and sharing passwords is by using a password manager. We recommend 1Password as it’s simple to use, secure and has excellent team sharing capabilities.
2) Have GDPR compliant privacy policies
You’ll need to update your terms in order to inform your customers and anyone else who you store data on about how you are collecting, processing and sharing their data.
3) Update, update, update
As annoying as it may seem, device manufacturers often release security patches to keep you protected, it’s critical you apply these when they become available otherwise it can lead to irreversible damage.
The CryptoLocker ransomware that hit the NHS in 2017 would have been stopped dead in its tracks if they had patched their machines within the last 2 months.
Curious to know what the rest of the tips are?
To read the other 6 secrets… you can unlock them below
4) Use 2FA for all privileged accounts
Two Factor Authentication is an excellent additional measure to ensure your company protects its data.
Even with a compromised username and password an attacker is unable to access the account because you have to authorise access to your account using a code only accessible through your phone.
5) Enable Your Firewall
The last thing you want is a hacker getting access to sensitive data which is a risk by not having a firewall enabled on your network.
In simple terms, a firewall is designed to prevent unauthorised people accessing your private networks connected to the internet. All messages leaving or entering pass through the firewall, which examines each message and blocks those that do not meet the security criteria.
Your Medtech startup needs a firewall to protect your confidential information from those who are not authorised to access it and to protect against malicious users and accidents that originate outside your network.
6) Password enabled
Believe it or not, over 90% of cyber attacks and security breaches arise from human error. With that said not having a secure password enabled on all of your employee devices is not only inadvisable but ultimately reckless.
Imagine this scenario; an employee has a personal data on their laptop and the device does not have a password enabled and the employee loses the laptop. That’s a very scary scenario but easily rectifiable by ensuring that every company or personal device that is used for work has a password enabled.
7) Disk encryption enabled
Enabling disk encryption (filevault in Mac and Bitlocker in Windows) prevents someone with physical access to a machine from extracting all the data. In order to do this on an unencrypted disk, an attacked simply removes the drive from the machine and connects it to a disk reader to access all the contents in plain text. They can download all documents, pictures, sensitive information as well as see whatever is stored in the browser. Scary stuff. Prevent it by simply enabling disk encryption.
8) Automatic Operating System Update
Another way to prevent malicious attacks is to enable automatic software updates for your operating system. Even if you have a Mac you need to ensure that you’re using the newest operating system as it is a myth that Mac’s cannot be susceptible to threats and malware.
Hackers and malicious cybercriminals use weaknesses in the software and apps to attack your devices and steal identities and sensitive data which is why it is extremely important to ensure that your organisation is using the latest Windows, Mac or Linux software.
But what if they disrupt my work and it takes time out of my schedule? Fortunately, on most operating systems they allow you to schedule when you would like the update to occur so it shouldn’t cause much disruption and in the event that it does at least your data will be safe!
One of the ways to ensure that you’re handling data the correct way is to get a Cyber Essentials certification. Why would you want it? Cyber Essentials is a government-backed certificate to help organisations protect themselves against online threats and is a great way to show suppliers and customers that you take security seriously and you’ve taken steps to secure their data.
Although it’s a great start, Cyber Essentials is really the most basic level of compliance your MedTech startup should be aiming to achieve and if you desire a higher level of compliance then you should be aiming to get the Information Assurance for Small and Medium Enterprises (IASME) certification. This is based on the ISO 27001 (the industry standard for the management of information security) but tailored for small businesses.
When you do all of the steps above your MedTech startup becomes a few steps closer to becoming compliant however If you are serious about ensuring that your business data is being protected and you want to improve your business reputation schedule a demo to learn more about Cyber Essentials.