Today’s workforce cares as much about convenience as it does security. This puts a burden on IT Security Professionals that need to balance the wants and needs of their employees with the rules and regulations surrounding Protected Health Information. Healthcare Managers that focuses on areas such as IT, Data Security and Risk Management, should ensure their Organization is protected from both the Inside and Out. This type of multi-front security plan can be daunting to smaller organizations, but it is critical to keeping you secure as your organization grows and new employees are brought in to be trusted with valuable PHI. One must never forget that the ultimate risk of Data Security is more than just Fines and Costly Restructuring initiatives, it is losing the trust of your Patients
As an Executive, it may be instinctual to feel that your Information Security strategy needs to focus on external threats and competitors that might wish to gain an advantage over your organization. However, as most CISOs know, a majority of our PHI misappropriation comes from internal threats. Additionally, within the group of Internal PHI breaches, a large portion of these were cases of negligence and non-malicious circumvention, rather than disgruntled employees.
Healthcare IT Managers need to ensure their organizations are deploying an Infrastructure with a focus on Transparency for the sake of Compliance. By allowing Management to control and audit the movement of, and access to, data on a fine grain level, insider threats can be identified and resolved before any data is improperly accessed or distributed. Furthermore, a Transparent Infrastructure allows instantaneous threat mitigation by enabling remote user lockout instead of traditional HR Led access revocation.
Fine grain control of user applications is another strong security method that can be employed rather simply. This means that your staff will only have access to the tools and applications that you allow and will prevent well-meaning employees from downloading unapproved applications that could present a threat to Data Security. All applications should be verified by your IT teams to ensure they can be trusted to handle the sensitive data that comes with the Healthcare Industry.
Lastly, Providers should focus on Physical Endpoint Security. This may seem like an issue for your Operations Team, but IT Managers need to mitigate the risk of physical security breaches, such as property theft, from turning into HIPAA Violations. By employing ‘at rest’ and full disk encryption, organizations can be confident in the security of their PHI in the event of a physical compromise. Physical Threats tend to come from External Actors at the expense of Internal Mistakes, as we will explore next.
Sure, external actors are a major threat to our organizations, but they may not be attacking in the ways one would assume. In 2018, a US Healthcare Provider racked up $3.5 Million in fines for the breach of over 500 individuals. What was the cause of this you ask? It wasn’t malicious employees or even external hackers looking for any data they can find. Instead, it was a string of physical break-ins at multiple facilities that resulted in electronic equipment, such as personal phones and company computers, being stolen. It is unclear whether the thieves were after the PHI on the devices, but it is safe to assume that they were most likely after the monetary value of the electronics themselves.
It can be difficult to see a fellow Provider go through something like this, especially when the breaches were the result of a 3rd party, but one must see this case as an example of how easily you can lose the trust of your Clients and face stiff penalties. If you are like this organization, you and your IT team have put serious hours into Network Security, Employee Training, and Asset Management. What needs to be reviewed during your next Risk Analysis, however, should be the threat of your ‘at rest’ data. Healthcare Security professionals should put extra care into the threat levels of local data storage when planning for the future.
One of the best ways to prevent an incident like this from hurting your patients is to implement a Desktop Virtualization Solution that you can monitor and control at fine grain levels. Solutions such as Amazon Web Service’s (AWS) WorkSpaces can provide your organization with a fully managed network of Cloud-Based Windows Desktops for users on their own devices and company equipment. The most obvious benefit here is the fact that no data is ever stored on the local device, meaning that even if a piece of equipment used to view PHI was lost or stolen, the data would be inaccessible to recovery via the local device. IT Departments can immediately revoke access on a Device level following the report of an incident to further reduce the opportunity for HIPAA Violations.