Did you know it was recently Health Information Privacy and Security Week?
While other odd holidays (National Chocolate Day, anyone?) are fun to be aware of and celebrate, Health Information Privacy and Security Week is something we, as an industry, need to use to raise awareness about healthcare security. The statistics are grim; healthcare data is worth at least 10 times what credit card data is worth and criminals know it; there were 253 healthcare breaches with a combined loss of over 112 million records in 2015.
Healthcare information security tips
No one ever deserves to be breached, but to have your healthcare information exploited is extra painful; healthcare and insurance are hard enough to navigate without having had a hacker sell off the information.
If you are a security professional in the healthcare industry, healthcare information security is your job – even when it is other people mishandling information. You need to raise awareness about healthcare information security and implement (and enforce) new rules to keep healthcare staff from making security mistakes.
As we have written about before, a lot of healthcare data breaches are due to healthcare workers being uninspired to diligently practice information security. So what do you do to counteract this? Inspire better security behavior. We have a detailed post on how to do this, but here the 5 tips:
- Explain the ‘why’ in language they can understand
- Be present
- Provide evidence of potential personal consequences
- Block sites
- Maintain regular check-ins
Conduct an electronics inventory
For your own knowledge, and to share with employees and executives, inventory all the electronics vulnerable to security breaches in your organization. With the Internet of Things projected to grow to 26 billion units by 2020, this could be a huge number of devices.
A huge focus of your inventory should be mobile devices and how employees are using them on the job. BYOD is one of healthcare’s biggest security issues; according to a 2014 Healthcare Breach Report, 68% of all healthcare data breaches since 2010 are due to device theft or loss. Know what is being used in your organization and create a plan to protect it.
Passwords are certainly not the ideal form of security, but until someone comes up with an alternative, we need to follow strict password practices. In addition to requiring employees to have strong passwords, make them use them. Have computers log out after a short period of inactivity; it may annoy employees a little, but remind them of how much data they have access to and how easy it could be for someone to sneak a peek or use a terminal when no one is watching.
Hire a CSO
The salary of a CSO would be the fraction of the cost of a data breach. Security, and especially healthcare security with its intricate privacy laws, is not a job that can be done without an executive to help strategize and manage all the moving pieces.
If your business doesn’t have a CSO, consider suggesting that yourself or someone internally redefines their job description to become a CSO. It could be an easier sell to the C-suite to have someone with internal and industry knowledge join their meetings. Another option is to outsource the job to a healthcare information security organization.
Healthcare information security is one of our battles right now. It is an industry already filled with an extreme amount of rules and regulations, so implementing and enforcing more is going to be an uphill battle, but a battle worth fighting to protect your business.