Although breaches at large healthcare providers tend to grab the most headlines, even smaller practices need to be on guard to prevent malicious attackers or simple human error from exposing their protected information.
Many breaches occur not as the result of a single problem, but rather when several things go wrong at the same time. What may begin as a simple mistake in handling sensitive information can become a serious breach. The right controls and procedures must be in place to catch a potential problem early and prevent it from growing rapidly.
Thankfully, such preventative steps often rely on common sense and basic security thinking, rather than the latest in high-tech software and hardware, and so are available to practices of every size. Here are five ways to prevent a health data breach at your practice:
1) Become “data-centric.” This might sound like the latest buzzword from the security industry, but it really takes good sense and applies it to the problem of keeping data secure. It’s easy to become overwhelmed with the numbers of new devices -- smartphones, tablets, laptops and so on, in the practice. Rather than worrying about the devices as such, think about the information. Where is the data stored, who has access and where can it be accessed from? Rethinking your security in terms of information is both easier and more effective than focusing on hardening every device in your organization against every threat.
2) Monitor for unusual behavior. If you are attacked, the best way to spot that you’ve been breached is by identifying unusual activity. It’s often referred to as “anomalous behavior detection” and relies on something we all do in our everyday lives. If you walk into a room in your house and someone has moved a piece of furniture, you spot it immediately. That’s because the change stands out, even if the item of furniture by itself did not. Perhaps a system that is only used occasionally is suddenly very active, or maybe a user appears to be accessing far more data than usual. Either way, it is the change in behavior that matters and that can be the first -- and best -- chance to spot even a highly sophisticated attack.
3) Segregate systems. The push to connect everything and provide greater-than-ever access for patients to their information makes the ability to control where information is available vitally important. Patient data obviously needs greater protection than, say, next week’s menu choices -- yet once inside the network perimeter, these items may be sitting side-by-side. Careful segregation of networks helps prevent attacks by establishing strong beachheads in areas where sensitive information is stored, and it also helps reduce the risk that sensitive information is copied and left unprotected (as can all too often happen) on a forgotten server.
4) Have a good response plan in place. Breaches happen. Attackers find ways in to your network or an employee can make a mistake…and if they haven’t yet, there’s a good chance they will soon. So what counts is this: Do your IT and security teams know what to do next? Can they quickly identify whom to call? Do they know which systems and services they can shut off and who can make those decisions at 3:00 a.m. on a Sunday? And if the worst happens, and data is taken, can they quickly get access to the information necessary to decide if the information was sensitive and unprotected? Silly mistakes (such as shutting down a breached system too soon) can allow attackers to get away, and lack of correct response can be crippling to your chances to limit the damage and assist investigators.
5) Encrypt everything, especially anything sensitive. There is a reason that encryption is one of the oldest security technologies in the world: It works. Sensitive information of any kind should always be encrypted if at all possible. The great value of encryption is that it renders information inherently unusable without the key -- and that can be a lifesaver in the event of a breach. The simple fact is that if everything else fails -- intrusion detection, monitoring, access controls, and so on -- then encrypting the data will still prevent a serious breach from occurring. It’s no coincidence that so many compliance and breach notification laws specifically exclude encrypted data from their scope -- it’s the last, best way to keep information safe and when that breach does occur it could mean the difference between just having a bad day at the office or facing millions of dollars in costs and damages.
Keep these five steps in mind as you assess the security of your patients’ health information.