Security breaches – especially in the healthcare and finance industries – are not new. Each incident reveals new weaknesses in the tools organizations use to defend and protect data. Unfortunately, it also highlights the fact that companies continue to make the same mistakes over and over again. Recent incidents like the privacy and security breach sCambridge Analytica highlight new ways for hackers to breach organizational defenses.
Securing Healthcare Data
Healthcare data is more valuable than ever before. Hackers can use stolen information to commit identity theft, insurance or credit card fraud, run scams and defraud people. In addition to the more general security and privacy concerns, dental professionals have to comply with HIPAA requirements as well.
So, what can we learn from the recent breach involving Cambridge Analytica?
People, Processes, and Technology
Security infrastructure is not just about software and hardware. It also includes procedures, people, and policies. Even the best firewall or antivirus software will not protect your data if a user gives away their password. The software can notify you that a breach happened. It is up to you to handle the repercussions, deal with the intrusion and ensure data integrity.
All too often, dentists deploy a few security tools and consider the matter closed. You also need to have security policies in place that outline the steps to be taken when an incident occurs. How do you want your employees to respond to a security breach? Should they shut down computers or notify the security company? All these steps should be clearly set out in the security policy and distributed to all users.
Security Awareness and Training
The Cambridge data breach occurred through a Facebook app. Although the company claimed that users consented to the use of their data, it was revealed that data of their friends were also collected. It once again highlights the biggest issue with IT security – the end-user. And informed user might not have used an app that required so many permissions or harvested private information.
Security awareness should cover all areas pertaining to data including email, data storage, deleting patient records and so on. Social engineering tactics such as phishing are much easier for hackers to accomplish than directly breaching your security. User training and awareness is the only weapon you can use against such tactics.
Always Have a Backup
In 2016, the healthcare industry witnessed the rise of ransomware. Hackers gain access to your data, encrypt it and demand payment from the victims for the encryption keys. If the majority of your data is stored on computers, how can you continue treating your patients?
The best defense is to always have a backup of your data in a secure location. It will allow you to continue working without going back to pen and paper. It means that you don’t have to pay up to get your data back. Research indicates that it takes months and millions of dollars for organizations to get back on their feet after a security breach. Isn’t it better to be prepared than hope that you don’t become the next target?
Practices that use cloud-based EHRs have less to worry about when it comes to security. However, it doesn’t mean you’re off the hook when it comes to protecting patient data. You have to ensure that the vendor stores patient information on HIPAA compliant servers. You have to verify their security protocols and be sure confidential information is only accessible by authorized users. The old adage prevention is better than cure applies to IT security just as well as healthcare!