Data security and management challenges faced by the healthcare industry can be instructive for all industries due to the onerous security regulations healthcare organizations are subject to.
Healthcare organizations are governed by a thicket of federal and state laws regulating protection of electronic personal health information (e-PHI).
In recent years the Department of Health and Human Services (HHS) and the Office of Civil Rights have stepped up scrutiny of data breaches in the healthcare industry. Changes in HIPAA rules also require more breach reporting, meaning healthcare organizations can expect swift enforcement actions if they’re caught out of compliance.
” … and by the time they were done, all the rubber had been worn off the stamp. The End.”
Network security systems are attacked on average two million times per week, and many of these attacks result in data breaches.
A 2012 study by the Ponemon Institute found that 94% of healthcare organizations had at least one data breach in the preceding two years. IT teams in non-healthcare organizations can learn from how healthcare organizations maintain tight data security.
Under HIPAA, an audit control framework “require[s] entities to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI.” Developing an audit control framework for your organization is a good start for identifying risk management solutions. Here are some lessons your organization can use from those learned by the healthcare sector.
No Organization Is Foolproof
Maybe your business isn’t in the banking, healthcare, retail, or some other industry that’s particularly “attractive” to hackers, but some hackers simply like to watch the world burn. By being prepared, you can significantly reduce problems resulting from security breaches. It starts with a strong IT security attitude and an incident response plan. Like a fire drill, your security response plan should be practiced, and should be implemented by a reliable team that takes it seriously. Your response team may include people from IT, legal, public relations, and the C-suite.
Learn from Others’ Mistakes
In October 2009, 57 hard drives containing unencrypted e-PHI were stolen from a former call center for Blue Cross Blue Shield of Tennessee (BCBST). BCBST swiftly reported the breach to HHS and launched a company-wide inventory of all its e-PHI. They also initiated a $6 million encryption project for an additional 885 TB of e-PHI. BCBST ultimately spent $17 million investigating the breach, notifying those affected, and implementing new security measures. They also had to pay a $1.5 million fine and implement corrective measures to settle their HIPAA violation.
While the company’s voluntary remedial efforts were laudable, it was still a fiasco, and BCBST now has a strict framework for managing and mitigating privacy risks that includes
• Company-wide inventories of all data repositories
• Encryption of data
• Internal policies and procedures on handling sensitive data
• Employee training on those policies and procedures
• Conducting a comprehensive risk assessments
• Maintaining a risk management plan
• Limiting and controlling physical access to critical data
The Best Defense Is a Good Offense
After a breach, you may wish you were wearing a helmet and pads.
Preventing breaches requires a proactive attitude toward protecting systems, networks, and data. All assets should be investigated and measures should be taken to mitigate risk. Your strategy should keep in mind the following hard facts:
• Hackers are sophisticated, prevalent, and do not remain static.
• Data breaches are common, and often go undetected and unreported.
• Damage from a breach can go beyond immediate costs to include fines, sanctions, and long-lasting reputational damage.
Best Practices in Proactive Security
HIPAA requires conducting risk assessments, and this is smart for non-healthcare organizations too. The National Institute of Standards and Technology also emphasizes risk assessments as the foundation for security. Assessments should identify vulnerabilities, even if they seem unrealistic, because hackers’ techniques can evolve rapidly.
A 2013 Ponemon study found that the average cost of a data breach is greater than $5 million, and that’s before accounting for reputational harm. Some security measures may seem redundant, but many of them are sound investments.
In the healthcare sector, HIPAA requires organizations to implement mechanisms to record and examine activity in information systems handling e-PHI. Similar audit control in your organization gives you valuable visibility into systems and lets you recognize questionable activity early, possibly preventing a breach.
There is no substitute for practicing breach drills for helping your team be ready. When your organization is prepared to respond to swiftly, you can contain damage as efficiently as possible should the unthinkable happen.
When your IT team has powerful IT asset management tools, it has a firmer foundation for developing security policies that can protect valuable data and mitigate damage in the event of a breach. Samanage is leading IT asset management software that offers your team the latest tools for monitoring hardware and software and allowing your people to detect potential problems earlier than they might otherwise.