Large-scale data breaches are reported on a more or less weekly basis, with companies in all sectors being affected.
Corporations and tech giants are frequently targeted by hackers due to the volume of data they process and store, but healthcare organizations of all sizes are just as vulnerable to attacks because of the increasingly high value of the protected health information (PHI) they hold.
Generally speaking, health information has a longer shelf life than financial information, and can therefore command a higher price on the black market.
While malicious outsider attacks, including unauthorized access, phishing, and ransomware attacks were the leading cause of some of the biggest healthcare data breaches in 2016, the most consistent threat to organizations comes from within. In fact, the Ponemon Institute (a data security firm) reports that more than half of data breaches occur because of a malicious insider or through human error.
Common causes of data breaches within healthcare organizations include loss or theft of unsecured employee devices containing PHI; unauthorized access to or disclosure of healthcare records; and improper transmission, storage, or disposal of identifiable patient information. Considering this, it is vital that clinics of all sizes do everything they can to protect patient data from both external and internal data security threats.
Better the devil you know
Although insider security threats are a very real issue, organizations do have the advantage of being able to do something about it.
The following points are suggested to help doctors of chiropractic mitigate security threats from within their own practices. While safety can never be 100-percent guaranteed, you can certainly reduce your exposure to common dangers.
Set access controls
It’s human nature to want to use a memorable password for easy access to information, but when PHI is at stake, using simple, easy-to-guess passwords that aren’t changed frequently can leave your organization vulnerable.
All staff passwords should be hard to guess, and be changed every one to three months to minimize risk. In addition to strong passwords, multi- factor authentication should be used when using any systems that allow an employee to access or modify PHI, through a computer, smartphone, or tablet.
As an extra step to protect PHI, you should consider tiered levels of access for all employees who come into contact with patient information.
Internal assessments
Preventing and restricting access to PHI is a necessary step, but to ensure these measures are working, regularly conduct an analysis of logs to check who has accessed or modified data, with alerts set to notify you of all login attempts.
Furthermore, while being selected for a HIPAA audit is rare, if you conduct routine internal risk assessments and mock audits for potential breaches, you can identify gaps in your data protection strategy as well as maintain security awareness among your staff.
Device management
Mobile technology has transformed the way healthcare professionals communicate and coordinate care. There are many benefits to being able to manage patients’ health information when you’re away from a desktop computer, but there are equally as many risks.
Before allowing any devices that store or transmit PHI to leave your practice doors, it is crucial such devices be encrypted, have secure login methods in place, and have remote wiping or disabling allowed, to prevent data being accessed in the event of a device being lost or stolen.
HIPAA-compliant messaging and storage
The rules around the transmission and storage of PHI under HIPAA are sometimes misunderstood, particularly when it comes to encryption. The fact that encryption is listed as an “addressable” standard, rather than “required” within HIPAA’s technical standards, leads many organizations to assume encryption is unnecessary when handling PHI.
But disregarding addressable standards, particularly regarding encryption, leaves covered entities more vulnerable to breaches. In other words, encryption is not optional.
In addition, when sending PHI,employees must avoid using non-secure applications such as unencrypted email, text messaging, or instant messaging applications such as WhatsApp or Facebook Messenger, which do not meet HIPAA compliance standards. The downloading or storage of PHI must be done in a secure, HIPAA-compliant environment, and data should be encrypted while at rest.
Security training
HIPAA training should be at the core of your data protection strategy. While awareness won’t prevent every error, educating staff who have access to PHI will help minimize risks.
Phishing scams, ransomware, and social engineering attacks are becoming increasingly sophisticated, so your employees need to be made aware of the latest tactics used by scammers to encourage a victim to give up confidential information.
If you explain to your employees how they can play a huge part in reducing the risk of security breaches, they will be more likely to think twice before sharing their login details, or passing on information to an unverified source.
Mitigating insider threats is all about developing a culture of security within an organization. While physical safeguards are absolutely necessary, they can count for very little if your staff isn’t trained to spot the warning signs.
Take the needed steps now, before risk turns into reality.
Gene Fry has been the compliance officer and vice president of technology at Scrypt since 2001 and has 25 years of IT experience working in industries such as healthcare and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, and he is certified in HIPAA privacy and security. He can be contacted through scrypt.com.