Healthcare organizations are a prime target for many malicious individuals and organizations in the information age. Identity thieves, blackmailers, and even the curious public are attracted to the intense amounts of personal information a healthcare organization must collect to provide adequate levels of care. Understanding the current state of security in healthcare is paramount to running any patient-focused care organization.
Security Compliance in Healthcare
Any healthcare security officer will be familiar with the Department of Health & Human Services rules, including the HIPAA Security Rule and HIPAA Privacy Rule. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the predominant law regarding compliance with securing information in the healthcare industry. These rules and laws are in place to ensure that healthcare organizations exceed standards of security found in other industries because of the difficult and sensitive nature of healthcare records.
Recent Breaches to Notice
HIPAA Journal noted the Largest Healthcare Data Breaches of 2017 that might affect your healthcare business. These security breaches include W-2 scams, stolen computers, hacking, and 3rd party security breaches affecting healthcare organizations’ sensitive data.
These security breaches all point to several issues in the current state of security for healthcare organizations: monitor business partners and vendors, teach employees proper security protocols, and strategically plan for attacks through penetration testing of both physical and virtual assets.
Common Vulnerabilities to Protect
After the disastrous rollout of healthcare.gov for security issues, insurance providers and healthcare providers need to be doubly certain that they are not providing an additional vulnerability for their user’s private information.
While we go into more depth on specific security concerns in other articles, here are a few higher-level concepts to keep in mind as you are planning out your healthcare business’s IT security.
- Encrypt User Sessions – This basic principle is becoming standard (Google is starting to rank encrypted web-pages more favorably), but was an important issue Healthcare.gov missed. Encrypt any communication that goes out over a network , otherwise you risk having it intercepted.
- Teach Employees About Basic Principles – W-2 scams, ransomware and scareware, phishing issues, all exploit the individual weaknesses of your employees. Rather than trying to brute force a password with hundreds of thousands of combinations, hackers will simply convince employees that the hacker should have sensitive information and the employee should give it to them. Teach employees how to exit popups without engaging with any script inside the window, how sensitive information will be handled within your organization, and ensure that you have proper security in place for each user’s needed level of interaction.
- Publish and Communicate Your Customer Interaction Plans – What do employees never ask for on the phone? Do your employees and patients know this plan? How is sensitive information handled? Addressing these questions clearly and consistently will help you establish proper security protocols.
- Secure Physical and Virtual Infrastructure – Make certain that locks are not easily defeated, that computers have adequate passwords and are not left unattended, and do other basic activities to make certain that vital information is inaccessible to those who do not need it.
The current state of security in healthcare is changing, but as things change, the more they stay the same. Basic principles and activities stand the test of time and ensure that you are treating your customer’s information with the best security processes. For more information regarding securing healthcare IT, please contact us today.