It’s no secret that data security has serious implications for healthcare providers. A major breach can seriously undermine public trust – and result in hefty fines.
Simply watching the news is enough to make it clear that major security breaches in healthcare are on the rise, and the issue is only set to become more pronounced with expanding adoption and use of electronic health records. These technologies offer great promise for patients – but they also mean new risks and security requirements.
Along with new threats have come new rules: OCR audits for compliance with HIPAA/HITECH privacy and security rules are affecting more and more healthcare providers. In this fraught landscape, how can organizations protect themselves?
There are three essential prongs of defense for a comprehensive security strategy:
When most people think of security, this is what comes to mind: stopping a breach from occurring in the first place.
There’s a major technical component to prevention, of course. Your IT folks will need to understand and implement best practices for network firewalls, online account authentications, and many, many more aspects of your technological infrastructure.
But there’s more to prevention than the technical side of things. It’s equally important to consider your personnel. Some of the largest-scale breaches have succeeded not because of sophisticated technical hacks but because of old-fashioned trickery.
A would-be thief might call customer service and impersonate an authorized user of your system in order to extract sensitive information like passwords. In order to defend against these avenues of attack, your staff needs to know what to watch for – and they need to be trained to follow strict, secure procedures when it comes to sensitive information. Data security is truly an all-hands-on-deck effort.
Your staff can also act as a first line of detection for clues that something may be amiss on your network. Seemingly minor oddities – a slow network connection, a password that isn’t working all of a sudden – can be early indicators of a big problem. Make sure your staff is trained to spot and report these issues, doing their part to help monitor for signs of anything fishy.
Even among healthcare organizations who take security seriously, too many people put a lot of effort into prevention-Â¦and then stop there. But that creates a massive vulnerability. If a hacker does get through without your knowing, they can quietly siphon your data over an extended period. And in this case, ignorance is not bliss.
The good news is that a strong detection strategy can make a big difference. The key ingredient? Human monitoring. You can turn to either a third party or your IT team for this task, but the important thing is that you have knowledgeable eyes on your network data. These security experts will be able to identify and interpret red flags like heavy network traffic at unusual times, or repeated failed login attempts. Because hackers’ methods of stealing data are always evolving, there’s just no replacement for human experience and analysis. It’s important that your experts remain diligently up-to-date on new vulnerabilities, hacks, malware, and detection strategies.
In a time of crisis, this knowledge can make all the difference. With the right eyes on the right data, you’ll be much likelier to detect an intrusion as it happens. And this gives you the ability to react much more quickly and effectively. The sooner you catch a breach, the likelier it is that you’ll be able to identify and address the vulnerability that allowed it to happen.
That brings us to the third mode of defense against security breaches in healthcare: an effective response. If an attack does occur, you need to be prepared to minimize the damage.
In the moments after detection, that means alerting your staff immediately and following your response plan to determine the appropriate next steps. Situations vary, which may entail disconnecting affected devices from the network, or leaving them connected and monitoring the hacker’s next move.
Make sure you’re informed about any state, federal, and industry reporting requirements to which you’re subject. Follow them, and make any communications with the public as clear and forthright as possible. Once you’ve resolved the situation, make sure all relevant parties know that you’re back to business as usual.
More importantly, use what you’ve learned. There are lessons in any breach: iterate and improve your overall security strategy based on what has happened. A successful security strategy is a three-legged stool: without all three of these modes of defense, it will not stand. But if you prepare a coordinated approach to prevention, detection, and response – and if you refuse to grow complacent, recognizing that strong security is always evolving – your organization will be ready to do business with confidence.