IBM Chairman, CEO, and President Ginni Rometty has called cyber crime “the greatest threat to every company in the world.” It’s estimated that cyberattacks cost businesses as much as $400 billion a year in 2015, and experts are predicting that this will quadruple from 2015 to 2019. As more aspects of our personal and professional lives are digitized, the cost of data breaches could reach $2.1 trillion globally by 2019.
Any business that transmits or stores valuable data is an attractive target for cyber crime, and nowhere is the threat more real than in healthcare, where protected health information (PHI) is more sensitive (and financially valuable) than in any other industry. The impact of a breach in healthcare can be very serious, causing financial, reputational, and operational damage to hospitals, as well as affecting patient privacy, expenses, and even health.
Healthcare IT teams must take security very seriously to avoid breaches. Of the 112 million healthcare record breaches last year, many could have been prevented if security policies and encryption had been properly implemented. Let’s take a look at 10 steps to securing data at your hospital:
1. Complete a risk analysis: Before you begin developing a strategy to secure data in your environment, it’s important to define and understand the current level of risk. Conduct a HIPAA risk assessment to quantify risks.
2. Develop a strategic plan for security and Master Data Management: Once you have qualified the risk, begin architecting a strategic plan regarding Master Data Management, making sure to define data identifiers that are considered “sensitive data” (data that has to be protected).
3. Catalog all services used to access sensitive data: After isolating data elements that need to be protected, begin the process of identifying all applications, end points, and systems that are used to transmit or store sensitive data.
4. Create and nurture a security-minded culture: Begin strategically communicating to the end-user population the importance of security, focusing on patient safety and privacy rights. Make sure to show how security precautions can have a real impact on patients.
5. Develop security policies: Develop policies to outline secure and acceptable use of technology. These policies may include (but are not necessarily limited to) acceptable use, endpoint/mobile security, and/or BYOD policies.
6. Encrypt data at rest: Enforce full-disk encryption on all endpoints used to store sensitive data with device management. Sensitive data stored on servers and SANs must also be encrypted when at rest.
7. Encrypt data in motion: Enforce encryption for all sensitive data transmitted via web and applications with current VPN, WPA, and SSL/TLS encryption.
8. Encrypt communications: Enforce encryption for all text-based conversations that contain sensitive data with secure text messaging.
9. Educate users: Once strategies, policies, procedures, and technologies are in place, users will need to be educated on how to ensure their workflows are secure (what technologies they should be using and how they should be using them. This will help ensure that all people, processes, and technologies are working together to create a secure environment. Security education is not a one-time activity; make sure a continuous flow of security education is in place.
10. Monitor and audit usage: Make sure that systems and usage are audited regularly to validate and maintain a strong security posture. Ensure remediation plans are in place to mitigate any noncompliance that is identified.
Now is the time to pursue a strong security process and protect your hospital from potential threats. There are hackers all across the world looking to access sensitive healthcare data in order to exploit it for financial gain. You can reduce the risk of this from happening and protect patient privacy by proactively addressing organizational security needs.