As cyberattacks targeting medical and insurance information become increasingly common, many organizations in the industry are wondering if a data breach can cause customers to switch health care providers. Consumers are worrying about privacy now more than ever and a rash of high-profile data breaches within the medical industry of late have made many health care providers reevaluate the effectiveness of their security practices and controls.
A recent report by Gartner found that health care delivery organizations (HDOs) are becoming frequent targets due to the increasing value of the personal data they now store in bulk both on premises and in the cloud.
“Identifying risks and protecting electronic health information can be challenging,” said Dr. Zafar Chaudry, research director at Gartner. “HDOs house personal health information and payment information, and all are lucrative targets for hackers, as well as malicious or curious insiders. Most HDO employees, however, want to help people, not become technologists, and may view information security protections as obstacles to delivering healthcare.”
Research has shown that the most common cause of data breaches in the health care industry is lost or stolen devices that contain sensitive personal information. Despite this worrying statistic, few health care organizations have at present dedicated sufficient resources to provide the necessary security for devices and IT infrastructure. In order to encourage companies to improve their cybersecurity strategies, Dr. Chaudry suggests CIOs of health care providers follow four simple guidelines to prepare for the challenges, effectively assess risks and develop successful security policies.
1) Assess the current state of the data the organization owns, manages and uses
Obviously it is impossible for a business to protect information it doesn’t even know it has in the first place. Before creating a security solution, CIOs need to take inventory of everything – hardware, software and data – the organization has under its control. Security doesn’t operate in a vacuum and no matter how hard they try, even the best CIOs can’t know every detail about every department’s operations. Creating a regular meeting with IT security teams and end users to discuss pain points, preferences and requests is a critical step in keeping up to date on the business’ operations and protecting information.
2) Review existing security policies and identify the risks the organization faces
Just as companies can’t protect data they don’t know they have, they also can’t defend against threats they don’t know they face. Going through a formal review of the organization’s current security policies is perhaps the best way to know what’s working and what isn’t, as well as defining what is at risk of being targeted by a cybercriminal. CIOs should identify all risks present to electronic health information that the company may face, as well as try and determine the likelihood of each type of event occurring as a result of that risk. The impact each attack scenario would have on the organization, as well as its customers, is necessary to get the most comprehensive view possible of the current threat landscape.
3) Create an overarching plan to educate and train users on security
Once the risks and threats are identified and their effects determined, CIOs need to provide training to all impacted end users on the legal and ethical requirements of patient data privacy. Organizations should also ask for feedback from their customers to better understand how procedures and systems can be developed to better meet needs in the future. Creating awareness about security practices is essential to the defense of critical data and should be ingrained in every department and every employee. The security processes that are the most successful are those that are integrated seamlessly into workflows.
4) Review all network security plans, especially if BYOD is employed
Health care providers now have their data spread across a wide variety of devices, and that range is growing broader all the time. This helps to improve care, but it also vastly increases the risk that data will be lost or misappropriated. Embracing bring-your-own-device initiatives increases this risk since many devices and applications are purchased without input from IT administrators. Reviewing BYOD-related risks on a regular basis and implementing the appropriate protections is the only way to ensure that there aren’t any cracks in the security plan.
The health care industry is facing more threats than ever before as cybercriminals become increasingly sophisticated and launch more frequent attacks. One of the most reliable ways health care providers can improve their defense of sensitive information is to employ a endpoint security strategy. Using multiple forms of defense while protecting a single network is highly beneficial for organizations that store massive amounts of sensitive data, as files will be protected from all possible points of intrusion. Solutions like Faronics Anti-Virus offers traditional levels of protection, as well as Anti-Spyware, Anti-Rootkit, Anti-Virus and Web filtering. Don’t wait until your files are compromised to deploy an improved security solution.