October is National Cyber Security Awareness Month and with the recent shift towards electronic records and the use of big data, healthcare providers need to fortify data security to safeguard against data breaches. The recent Healthcare.gov web site hacking is an example of why healthcare organizations should not only have a data security plan but also a breach plan.
SingleHop has enumerated online scams, phishing and massive data breaches as classic examples of hacking methods and all of these can start with a simple unprotected computer, leaked password or in the case of a phishing e-mail, a clicked-on link.
While there have been new laws geared towards data security like OCR audits for compliance with HIPAA/HITECH privacy, healthcare organizations should also take care of their own system, their home front, with their own policies and procedures.
Jason Riddle, Practice Leader of LBMC Managed Security Breaches outlined three prongs of defense of a comprehensive security strategy: prevention, detection and response.
Stopping a breach from occurring in the first place is the main goal of data security. This is where most of the work of IT security lies – building an infrastructure to secure data, developing security procedures and policies and educating users on data handling.
Protected servers are crucial for securing patient medical information. A security procedure like the two-factor authentication method of logging in can be implemented especially for confidential files, like big data and analytics.
Riddle notes that aside from considering the technical aspect of securing the IT system, healthcare organizations should start with its personnel. The largest data breaches occurred not because of technical issues but faulty human errors. The healthcare.gov web site hacking occurred because personnel failed to change the default password of an installed program, a simple standard operating procedure that has been overlooked.
End users, employees or personnel should regularly be trained and educated about data security, especially on ways how to spot a suspicious-looking e-mail and how to keep their computers safe from malware or virus. Vigilance is the key.
While a big chunk of security preparedness lies on prevention, consistent monitoring, maintenance and upgrading are all part of data security too.
There will always be little cracks in the system where data breaches may start so detection should be part of security procedures. Riddle says that a huge part of this security process lies on human monitoring. So whether you hire a team in-house or outsource, this part of data security requires continuous, 24/7 work. It’s an always-on-your-toes job. We are not talking about just monitoring within your network but also keeping abreast on latest news on how hackers are getting into systems so they can check within the system for areas that are vulnerable to breaches.
Prevention and detection is a cycle. Systems always need to be monitored and upgraded.
Part of an organization’s defense against security breach is its response if and when it happens. This part of the defense plan mainly deals not only with the organization’s internal system but also its reputation. Studies show that consumers are more forgiving about data breaches (or the loss of trust) when a company’s response to a data breach is immediate, strong, decisive and responsive.
The response time once a breach has been detected should be immediate. Mitigation of an attack is crucial within the first few minutes of a breach – it can spell the difference between hacking into security servers and a massive data theft. The response team should act strongly and decisively, knowing what protocols to follow to prevent further stealing of data.
Informing the public about the breach is also the right (and legal) thing to do. Riddle says that breaches should be reported to the authorities, depending on the state, federal, and industry reporting requirements. A healthcare’s organization legal and public relations team should be on top of this external response to a security breach.
Lastly, fixing a data breach means you use what you’ve learned. Overall security strategies and policies need to be reviewed, revised and updated. Infrastructure, firewalls and security software programs may need to be replaced or fortified further.
Safeguarding Medical Information
Healthcare organizations may not acknowledge this yet, but they are prime targets for data breaches for the wealth of information they have about their patients. Investing on data security and making it a priority is also a way of keeping their patients and their information safe.
We should not be complacent. We need to be vigilant and be prepared.