The recent cyberattack on Anthem, the nation’s second largest health insurer, highlights the increased need for healthcare organizations to enhance their security measures. With more healthcare organizations integrating IT into their clinical care and business operations, the amount of health data is predicted to increase exponentially. According to research from IDC Health Insights, the volume of healthcare data is expected to reach 2,314 exabytes by 2020, up from an estimated 153 exabytes in 2013. A set of medical data that can be used to receive care (i.e. patient names, birthdates and Social Security numbers) may fetch between $20 and $200 on the black market. Following are some tips that healthcare organizations can implement to improve security postures.
Conduct a compliance risk assessment
HIPAA compliance audits are coming and no one is exempt from them. According to Linda Sanches, senior advisor for health information privacy for the Department of Health and Human Services (HHS) Office of Civil Rights, the agency plans to audit providers of all sizes and across geographies. Now is the time to conduct a compliance risk assessment, learn about your business associates, encrypt devices and stay up-to-date on current and potential threats. Sanches notes, “You can certainly make [an audit] easier if you’re actually in compliance.”
Not sure where to begin? A compliant cloud hosting provider such as HOSTING can conduct a thorough, impartial compliance risk assessment. With more than 400 customer audits under their belt, the HOSTING team identifies weaknesses in an organization’s infrastructure and provides recommendations for achieving and maintaining HIPAA compliance.
And a security assessment
Compliance and security are not the same. While HIPAA, PCI and NIST (National Institute of Standards and Technology) all list security standards, they don’t address all aspects involved in having a robust risk management program. Most data breaches are opportunity-driven. Therefore, healthcare organizations should engage with a cloud security expert who can implement a comprehensive security assessment to identify and address infrastructure weaknesses early on.
Approach BYOD cautiously
BYOD (bring-your-own-device) has been one of the most hyped workplace benefits in recent years. According to research by PWC Health Research, MD Buyline and mobihealth news, some 80 percent of clinicians in the U.S. are using some sort of mobile device for their work and personal activities, in addition to the desktop and/or laptop they use at work. However, while many workers tout the convenience and productivity gained through BYOD, it also opens up new security concerns. Follow a simple rule that savvy Chief Information Security Officers (CISOs) adhere to – if the device or the data on it can’t be encrypted, then it can’t connect to the network. Also consider implementing a cloud desktop solution that can mitigate some of the security risks involved with BYOD.
Choose your cloud providers carefully
The cloud is crowded, with more providers jumping into it every day. While many of them claim to be compliant cloud hosting providers, few actually are. So do your homework. Before committing to a cloud provider, make sure you know how they safeguard and manage protected health information (PHI), how they encrypt data in transit and at rest, the details of their service level agreements (SLAs) and Business Associate Agreements (BAAs) (walk away if they won’t sign one), and how you retrieve your data should you decide to move onto another cloud provider. Download our white paper, 20 Questions to Ask When Selecting a Cloud Service Provider to help you build your selection criteria.
Keep in mind that security breaches are often “inside jobs”
Pending layoffs, job dissatisfaction and the high resale value of medical data are just a few reasons why employees may access sensitive information without proper authorization. Encrypt every device to deter accidental or malicious theft or sharing of data. Keep an eye out for anyone encrypting emails sent to private accounts, or trying to access remote networks after they’ve left the company.
Healthcare organizations invested in much IT and security, making them ideal targets for cyber criminals. Contact us to learn more about the HOSTING compliance and security risk assessments. You can also download the HOSTING Guide to HIPAA Compliant Solutions in the Cloud for more information.