Chances are if you work in the healthcare industry you’ve heard of the Anthem data breach, where hackers illegally accessed millions of patient records and private information. This shows that healthcare organizations aren’t any more immune to data breaches than major retailers like Target or Home Depot — yet they’ve been slow to adjust to the high-tech environment.
Healthcare organizations need to be proactive in order to safeguard patient healthcare records, lower the risk of a breach, protect their reputation, and reduce their liability.
From Paper to Digital
Healthcare data has always been valuable, but until recently, it’s been hard for hackers to get to them. Paper files were locked behind closed doors and not readily available in such huge quantities. Now that it is in electronic from and available virtually anywhere and everywhere, it’s become easier for hackers to access.
Healthcare organizations are left trying to figure out how to make information available to healthcare providers and patients alike while at the same time keeping it out of the hands of hackers.
There’s No Silver Bullet for Protecting Patient Records
No piece of hardware, software, tool, procedure or technique will protect patient healthcare data, despite what many vendors claim.
The government doesn’t have the answer either. As is evident from the recent IRS breach — where cybercriminals got into about 100,000 tax accounts — the government is in the same boat. Health Insurance Portability and Accountability Act (HIPAA) compliance will not make your organization more secure, it will only ensure that you meet federal regulations.
Cyber insurance, which is a must, is not the silver bullet either. It is a layer of protection for when something goes south. Relying completely on cyber insurance, like some companies do, is like driving blindfolded and claiming that it is okay because you have car insurance. It’s simply negligent.
Proactive Versus Reactive: Understanding Risks and Vulnerabilities
Today, most organizations are in a reactive mode. They rely on detection software which unfortunately only works by reacting when your system is under attack. There are no proactive measures.
Instead, put a plan in place now to lower the risk and enable your organization to react quickly in the event of a breach. Organizations can start by understanding their risks and vulnerabilities. They can utilize good hardware, software, procedures, techniques and training.
Steps Organizations Can Take to be Better Prepared
Cybersecurity and data protection is not only an IT issue but a management issue. Your leadership must be fully engaged, even if an outside vendor is hired for data security. It is your organization and you have a fiduciary responsibility to protect it. The tasks below are specifically for the executive team or those in charge and responsible for the organization.
Step 1: Understand the Data Your Organization Collects
Find out what data your organization collects, processes and stores. You must also find out how the data is collected, where it goes once it’s collected and who has access to it internally and externally. Note what measures, tools, techniques and procedures are used to keep data secured. Classify data based on its sensitivity. If it is public data, don’t worry about securing it. If it is sensitive patient data such as social security numbers, addresses, etc., protect it and limit access.
Step 2: Create a Security Policy and Inform Your Organization
Draft the policies that outline your security plan and inform employees and vendors what their responsibilities and obligations are for protecting this data. Remind them that this is not just patient, consumer or client data, but their personal data as well. Human resources holds all of the data on employees and most don’t realize that their actions may not affect just patients but their own personal data as well. Contracts and agreements with vendors must ensure that they are taking the security of your data seriously and require them to implement a good security program satisfactory to your needs.
Step 3: Train, Train and Train
Once the plan is in place and policies are written, train all employees — leadership, doctors, nurses, vendors, and all employees — on the new security procedures. Training should include how data is lost and stolen, risks, vulnerabilities, and responsibilities for protecting all data. Make the training personal. If data is lost or stolen it obviously impacts the patient, but also the organization, jobs, and potentially employee personal data, and personal lives.
This is an excerpt from the Global Knowledge white paper, Healthcare Organizations and Data Breach: How to Lower Risk and Reduce Liability.