Close your eyes and imagine for just a few seconds (don’t let yourself spiral) that you’ve learned that your healthcare facility just exposed private patient information. What were your first thoughts, and what ramifications would impact your clinic, your patients, your co-workers, yourself? Be relieved that’s not currently the situation you’re in, and especially thankful that you have the opportunity to close security holes before they become a problem.
Most of us don’t consider the ramifications of a sensitive data breach until we’re forced to actively deal with one. In the healthcare industry, an out-of-sight / out-of-mind approach is simply unacceptable. The good news is that taking a proactive approach to secure your patients’ private health information can be done without consuming many resources or incurring much cost. Though oft undervalued, the following directives will help protect your patients and your practice while allowing your office to stay primarily focused on providing an excellent, engaging patient experience.
Vigilantly train yourself and your staff. While difficult to admit, the human element is often the weakest link in the data security chain. Your team should already have a personnel training program under HIPAA guidelines, but I’ll wager it is due for a review and update. Physicians and clinic staff who are not trained on the latest security protocols can inadvertently cause gaping cyber security flaws. Spending a little time and/or resources now to update your training process could easily save your organization an exponential amount of both in the future. You can get started with a multitude of free, up-to date resources at HHS.gov that cover everything from the HIPAA security rule to actively managing a cyber-attack.
Out of Date or Unpatched Software
Overcome your fear of updates (or your fear of asking IT to apply them.) Regardless of how they may affect other programs or your office workflow, ‘critical’ and ‘security’ software patches and firmware updates absolutely must be applied to all software, operating systems, and networking hardware. Consider the last challenge you overcame or skill you perfected– like a recipe you refined, or a physical fitness milestone. It likely took several attempts of modified methods or tactics to achieve success. That is precisely what hackers and cyber attackers do when they attempt to access secure data. These criminals have far more time and motivation to try new “recipes” than you do. By making sure your office has the latest updates installed and current networking hardware, the target that malicious attackers attempt to reach is constantly moving further away.
Lack of Recent Backups
Backup, then backup your backup. When we ask healthcare practice managers and medical IT professionals if they backup critical systems and PHI data, the answer is a proud “YES”. Unfortunately, the responses get fuzzy when we start talking about backup encryption, testing backup data, off-site backups, cloud utilization, and data recovery plans. It is no longer enough to have a data backup, or even redundant backups, and it’s never been easier to automate encrypted data redundancy. Mass storage with built in encryption is inexpensive, and similar cloud-based backup services are both widely available and affordable. Make certain you have encrypted on-site and remote backups. Schedule regular dates for your IT staff or contractors to test your backups. Finally, have an easy-to-follow plan in place for data recovery, and for dealing with potential fallout if an actual data breach ever occurs.
Poor Password Policy
Stop using the same passwords. This should be a no-brainer, however, since we’re all only human and since most of us have a limited ability to remember multiple complex passwords, it is easy to neglect. Anyone in any facet of healthcare with access to systems that store and access PHI must have unique passwords for individual systems. Those passwords must all be changed regularly. In your office, these last two points must be non-negotiable if they are not already. Make it easier on yourself and your staff to comply by coaching easy methods of password memorization. Use the first letter of each word in a favorite quote or song lyric and include a memorable number. For example: the quote “May the Force be with you.” makes a strong password such as “MtFbwy27!” much easier to remember than a similar strong password that is not related to a mnemonic device. Alternatively, a string of random words that mean something to you followed by a number and a special character can be an equally strong password, e.g., “CorvetteJakeLatteFootball7!”.
You must regularly seek out vulnerabilities. Discovering a potential vulnerability in your layers of data security can be both frightening and potentially costly to resolve. Because of this, most organizations don’t actively search for chinks in their cyber security armor nearly enough. For care-provider organizations, this approach is truly dangerous. Clinics, offices, and hospitals are so full of changes in staff, protocols, standards, and regulations that vulnerabilities can easily occur without openly presenting themselves. By making a regular plan to review your data safeguards, you are more likely to find holes and decrease liability. The truth is that resolving discovered vulnerabilities is rarely too costly or time consuming, certainly less than if an attacker finds one first.
Unencrypted Data and/or Bloated Data Surface Area
Data should be minimized, and encrypted at rest or in transmission. In-use unencrypted data should be used only when needed and strictly protected. We all feel the same annoyance when we need to utilize encrypted data that’s difficult to access or time-consuming. Naturally, we have a tendency to “make things easier on ourselves” by duplicating this data to alternative storage constructs or even to completely unencrypted files, notes, etc. Technically, this practice alone could be considered a sensitive data breach. At the very least, it’s a breach waiting to happen. Resist the urge to duplicate and spread your sensitive data footprint, and talk to your IT staff about any pain points you experience when accessing patient data.
As you review and consider increasing your efforts in these six data security holes, your main takeaway should be that vigilance in patient data protection does not have to mean excessive cost and lopsided effort. Most of what we’ve discussed amounts to only paying a little more attention to your current plans and methods. For that touch of extra effort, you should be rewarded with greater confidence in your data security, and maybe even fewer restless nights.
Please let us know if you have comments or questions, and subscribe to our Email Updates so that you can be assured to receive Thinking Thursdays TIPs.
Jerry L. Stone