Your Security Breach Survival Guide
Security is critical for any organization, but it becomes even more essential when government regulations backed by fines are in effect. And Healthcare, in particular, deals with data of a sensitive nature that ups the ante for security concerns, especially as BYOD use escalates, opening the door for new risks.
Healthcare is dead last in terms of security, and that could mean costly consequences. An Agari Research report found the healthcare industry’s security challenges are in a class of their own, and when it comes to addressing email security and threats, it would be hard to do worse. Throw in the fact that experts are warning ransomware, spam and phishing cyberattacks targeted at the industry are likely to escalate this year, it is obvious providers need to tighten their guard when it comes to protecting patients’ health information (PHI).
The HITECH ACT has also provided HIPAA with more regulatory teeth, leading hospitals and healthcare organizations to search for security solutions in an attempt to avoid costly fines of up to $50,000 per violation.
“I have not found a client yet that has ever been able to tell me their budget set aside for government fines,” says James O’Connor, Sr. Account Executive, Insight Healthcare. In other words, most organizations do not plan for breaches, either physically or financially.
While vendors and service providers can offer a lot in terms of guaranteeing security, organizations need to do their part to ensure protection as well. Here are some essential practices suggested by O’Connor that organizations can engage to meet their high-level tech resources halfway.
- Complete a risk assessment. HIPAA/Omnibus regulations require that healthcare organizations perform a risk assessment. Failure to do so is a good way to guarantee that you face the maximum fines possible in the event of a breach. Here’s information on risk assessment.
- Establish clear and strict password policies. The ability to manage passwords is basic; go beyond this to enforcement of strong password requirements (with levels of complexity that forestall hacking) that also limit how often passwords may be re-used.
- Define access policies. This means deciding who can have access to what data when and where. It means putting limits on data access, which becomes more critical when mobile devices are in use. This also includes education of users on potential hazards, such as phishing emails.
- Control PCs and USB ports and manage smartphone/camera policies. O’Connor points out that PCs can be configured on the network to allow keyboard and mouse to work via the USB port while blocking external drives, meaning that data cannot be removed from the device. And whether it means adopting a strict no-smartphone policy or adopting a Mobile Device Management (MDM) platform that can turn off cameras while inside the network, healthcare organizations must be security-conscious when it comes to mobile devices and patient data.
- Encryption of all PCs, laptops and email that could contain sensitive patient data. Although HIPAA and the Omnibus rule of 2013 do not specifically require encryption, it does provide “Safe Harbor” to organizations that can prove that stolen or lost devices were encrypted. “Email encryption is used to ensure that only the intended recipient is able to access the email and any attachments,” according to Barracuda’s whitepaper, “Securing Email with Email Encryption.” O’Connell explains, “A managed encryption solution will control the encryption keys securely in the encryption server. Only the server can decrypt the drive so it will have an accurate last known state of the device as encrypted or decrypted.”
- Ensure physical security of your servers. Server hardware containing patient information should be kept in a separate, locked room with limited access by other staff, and data on the servers should be encrypted. This includes patient names, birthdates and city.
“Safeguarding your company data requires taking both a micro and a macro view of your security posture,” explains Absolute Software whitepaper, “The Enemy Within: Insiders are still the weakest link in your data security chain.” Basically, ISO 27001 compliance gives a helpful framework for implementing ongoing security best practices, which should be followed by your technology providers. You can also invest in the best firewalls, network access controls, encryption and SIEM technologies, but your endpoints are still in the hands of employees. That’s why Absolute Software also recommends conducting random security tests to keep employees on their toes, collaborating with associates to form a cybersecurity alliance and forming an actionable crisis plan.
Mark Roberts, manager of mobile technology Yale New Haven Health says, “While a BYOD strategy is often convenient for clinicians and can reduce hardware costs for the provider, this approach also introduces an additional layer of data security complexity. If not implemented correctly, a BYOD program can potentially expose PHI (Protected Health Information) and put your organization at risk of a costly data breach.”