Open any news report and you can see that data breaches are becoming pandemic. Any company that houses sensitive digital information is at risk, and these days, that’s most companies. Most recently, hackers targeted the country’s second-largest health care insurer and gained access to the personal information of more than 80 million current and former customers. All of those customers are now at risk for identity theft, and the company is facing potential class-action lawsuits and Congressional hearings. In this case, protected health information (PHI) does not appear to have been accessed, but hackers will not stop: health records are worth many times more than credit cards according to the FBI’s cyber security division, which has warned the industry about its “lax cyber security standards.” Health care facilities are at particular risk; a U.S. privacy think tank, the Ponemon Institute, found that 40 percent of health care organizations they surveyed in 2014 reported being attacked by malware designed to steal data. This number is up from 20 percent in 2010. Security researchers believe that attacks targeting health data will become increasingly common. MIT Technology Review has ominously predicted that 2015 will be the year of the hospital hack.
Data breaches can hit you from many different angles. Breaches can be caused by independent or state-sponsored hackers, malicious insiders, lost or stolen laptops, or employee error. HIPAA’s privacy rule details data safeguards which state a covered entity must have reasonable and appropriate administrative, technical, and physical safeguards in place to protect PHI. The HITECH Act of 2009 further strengthens the civil and criminal enforcement of HIPAA rules. Any company that houses PHI data should have an adequate security budget and dedicated security staff.
Information security is best played offensively, as it is very difficult to defend against a dedicated hack. [Tweet “A good security awareness program should have top-level support from the C-suite…”] and should be ingrained as part of the business culture. Information security is everyone’s responsibility, so establishing a culture of security is critical. Here are a few suggestions for your company to consider:
- Train employees, and enforce the rules. Limit the number of people who can access sensitive data.
- Make sure your IT security team looks at logs and reports daily. Having an unauthorized hacker on the network is a bad thing, but letting that hacker go unnoticed for months can be a disaster.
- Stay up to date with peers in the industry. You do not want to wake up one morning and find your security program is obsolete.
- Know where sensitive data is located on the network. Conduct regular inventory sweeps of your data. If you do not know where the data is, you cannot know if it is adequately protected.
- Don’t house sensitive data that is not required to do business. If you don’t need social security numbers, salary information, email addresses, etc., don’t keep them.
- Encrypt your data.Encryption is a key component in the information security chain and should not be overlooked. Establishing encryption protocols is a must for organizations that are truly dedicated to securing their data.