Health care breaches reached an all-time high last year, as employees and patients of major health care organizations found themselves victims of cyber attacks. Health care records have grown in value. Because they contain credit card data, email addresses, social security numbers, employment information and medical history, these records are both a desirable target for cybercriminals looking for a quick payout or, for the long con, a vehicle to engineer convincing correspondence to enter a corporate network via phishing. Whether stealing an identity, phishing for a payout or setting up a ransomware attack, compromised data, once out, is out forever.
Health care organizations have been easy targets. With a focus on compliance, important security measures are all too often lacking. A data-centric security approach could easily bring health care organizations up to speed, securing protected health information (PHI) at its origin regardless of where it resides.
Incorporating security capabilities such as encryption, better control and management of PHI and a data security framework will help alleviate health care organizations, employees and patients of the burden breaches take on their lives and boost confidence in their ability to trust their personal information is safe.
In this slideshow, Ron Arden, Fasoo, outlines steps organizations can take to better protect their critically important data and mitigate the risks of a data breach.
Mitigating Data Breach Risks
Click through for steps organizations can take to better protect highly sensitive data and mitigate the risks of a data breach, as identified by Ron Arden, Fasoo.
Sensitive health data and files should always be encrypted, especially when data is shared via file shares and when in storage. Not using encryption technology at every step leaves these files vulnerable to even the most amateur of cybercriminals.
Control Access to Data and Permissions
The stewards of health data need to control who is allowed access to the information and what they are allowed to do with it, regardless of location and device. Employees should be aware of their access and permissions. Health care organizations must enforce employee training and enforce it often. In the case of a phishing style attack, employees are typically the first line of defense for the organization and should always fully vet who they are corresponding with to understand what data access is allowed.
Create a PHI Off Switch
Most health care organizations have perimeter security tools in place to protect information but lack protection when PHI is in use. Improper device disposal or any mishandling of PHI can expose the data, allowing it to be localized, copied or printed. Health care organizations need the ability to render PHI useless as needed. This off switch enables a level of data protection making PHI immediately unavailable to those on or off the network, malicious or otherwise.
Require a Data-Centric Approach
The days of compliance over security must end — today’s threat environment is far more sophisticated and, in turn, requires a more intense approach. While EHR (electronic health record) and EMR (electronic medical record) systems have the ability to protect information within the system, they do not prevent against unauthorized users accessing the data once someone downloads it from the system. It’s crucial to focus on protecting the data, not only the system where it lives.
Implement a Data Security Framework
A data security framework can identify where sensitive PHI is, control access and monitor usage — three key factors in accelerating a security plan to meet today’s standards.