Why Doctors Should Prepare For A Data Breach

Why Doctors Should Prepare For A Data Breach

When it comes to dealing with a data breach, it isn’t so much as if it will happen, as it is when. Studies have shown that one in four health care organizations have experienced a breach. And even if perfect security could be achieved, there is still the risk of someone with legitimate credentials accessing the data and using it inappropriately.

It’s human nature. We’re not perfect. Things happen.

Yet even with statistics showing how commonplace data breaches are in our society, what is surprising is how many health care organizations are not spending the time needed to prepare.

Preparation today is no longer about putting up a firewall to keep the bad guys out. With the growing availability of electronic devices, and an equally growing availability of patient data in electronic format, this approach is no longer feasible.

Instead of investing in firewalls, it’s now mandatory to create a system of continuous monitoring, to track how people access information and what they do once they get inside of the system.

To start, users should be subdivided into groups.

The greatest majority of users will use the system as intended on an infrequent basis. This would include patients that access their records a few times per year, for instance.

You will also have high-profile users who access the system on a regular basis in a variety of different ways. These users may have access to confidential or restricted records, or have the ability to use the system in more detailed ways. Inputting data for instance.

The higher the user profile, the more security is needed. That includes regular monitoring to ensure the system is used correctly. Through continuous monitoring, you’re more likely to catch the breach early in the process.

However, splitting people into groups and monitoring people based on their accessibility isn’t always accurate. You can’t always predict human nature. Because risk is always a constant ebb and flow environment, it’s important to have emergency overrides that allow authorized personnel to quickly restrict access and shut out eminent danger as appropriate.

If there is a situation, acting quickly is the key to success. Early response and quick action can not only help you avoid a larger problem, it can also save the potential of having a situation blow up into a publicity nightmare.

Stopping the situation is important; the right system protocol can cut your risk factors tenfold. Being prepared for a viral attack either in traditional or social media is also essential; it can make the difference between surviving and thriving.

Perfect security isn’t possible. But if you accept responsibility from the beginning – from planning, to monitoring, to recovering when things to wrong – you will provide your surest method of attack.

Are Your Employees Responsible For A Data Breach?

Data breaches have become a common topic in the news. While we tend to think of data breaches as being caused by hackers in far away lands, studies consistently show that isn’t true. Internal threats are equally dangerous to customer data, whether they are caused by malicious behavior or by human error.

Are Your Employees Responsible For A Data Breach?When it comes to employees choosing to access data with the intent of malicious behavior, it’s usually for one of two reasons: they are looking for financial gain or they are seeking revenge. Because they are actively choosing to access data with the sole intent of causing damage, they will also be looking for the weakest points of entry. The more layers of security you have in place – such as firewalls, antivirus software, antispyware, antiphishing software – the more you can protect what they can gain access to.

The more common internal threat comes from human error ignorant carelessness. These behaviors often expose the company’s “hidden” vulnerabilities. Often they are caused by savvy employees looking to do their jobs more efficiently, and in the process make the company’s data more vulnerable. These well intentioned employees:

  • Bypass security because it’s time-consuming and restrictive
  • Sidestep security because of the inability to perform work
  • Create workarounds to improve their individual efficiencies

· Are often not aware of the company’s security policies, and in many cases haven’t received the proper training to understand the vulnerabilities

Many companies have actually rewarded employees that discover work-arounds that expose security flaws in order to bring them to light and fix them.

The most important thing companies can do is to put the right security measures in place, and follow up by providing proper employee training. The more critical data an employee has access to, the more important training becomes. Those persons in accounting, human resources, legal, personnel, account management, as well as various levels of management may have access to a higher level of data flow than others within the company. This is where your biggest vulnerabilities lie.

It’s a fine balance between security and productivity for the day to day workflow.

The goal is to limit who has access to what data, as well as to determine why a person needs the data he/she has requested. Tools and procedures to consider implementing include:

  • System wide encryption
  • Inspection access controls
  • Password management
  • Authentication
  • Device recognition
  • Data disposal
  • Transparency

The battle to fight data breaches starts from the inside. While it’s important to secure all data from threats both inside and outside of your organization, it’s equally important to do so in a way that won’t hinder your employees’ progress. There is a fine line to balance all of your efforts. Want to talk more? I’m happy to share my ideas.