Taking a people-centric approach to battle data breaches

It’s no secret why the healthcare industry is such a prime target for security attacks: patient personal and health information are valuable data.

And, when it comes to data breaches, it’s not just patient information that’s attractive. Data on employees is just as valuable, and its loss can be just as damaging. Consider the case of the provider Lincare Holdings whose employees filed a class-action lawsuit against the organization, claiming negligence with regard to their personally identifiable information.

Beyond being an attractive target, healthcare is likely more vulnerable to attack: industries like financial services and the federal government, have devoted more than 12% of their IT budgets to cybersecurity, while healthcare averages just half this figure.

More healthcare data breaches in 2017

Hardly a day went by in 2017 without a data breach story in the news headlines, and healthcare was not immune.

While the number of breached healthcare records declined in 2017, there was a significant rise in the number of data breaches in 2017 according to the HIPAA Journal. Over 340 healthcare security breaches were listed on the OCR breach portal as of the first of this year.

Insiders are behind many breaches

Insiders, whether negligent or malicious, were behind many of the data breaches. Unintended data disclosure, such as emails containing PHI sent to the wrong recipient or servers left publicly accessible, accounted for 41% of data breaches reported through September 2017.

Commonwealth Health suffered the largest data breach in 2017, and the breach was the result of an insider attack. A former employee placed sensitive information of nearly 700,000 individuals on an encrypted device with the intention of using that data for a personal project.

HIPAA Journal notes that many of the 2017 data breaches could have been prevented through a focus on the basics such as prompt patching, using secure passwords, proper protection of physical assets like laptops, awareness training to tackle phishing scams and proper security configuration on cloud storage. These are all people issues.

A people-centric approach is the answer

Investments in technology - such as user monitoring and user behavior analytics software - are obviously a key part of your overall security plan. These solutions reduce the burden on IT teams by automating threat detection and alerting to prevent and mitigate insider abuse.

However, it’s just as important to focus on investments in people in order to get in front of the threat early. Healthcare is the ultimate people-focused industry, and the way to mitigate data breaches is to bring that people focus to the data protection space.

Here are seven people-centric tactics you should institute to battle data breaches.

Appoint a commander. Given the potential impact of a breach, you need a chief security officer at the senior leadership table who has responsibility and authority to put in place a comprehensive security program. This is an area where healthcare is lacking. A recent survey of 323 strategic decision makers in US healthcare found that 84% of provider organizations lack a reliable enterprise leader for cybersecurity, while only 11% plan to get a cybersecurity officer in 2018.

Assess your staff preparation. If you don’t have a good understanding of the security strengths and weaknesses amongst the staff accessing sensitive data, you’re largely operating on hope. A cyber risk culture survey is a great way to assess preparedness and allocate resources to objective needs, not subjective impressions.

Make staff awareness a priority. Awareness isn’t a one-and-done training course. Meaningful and impactful awareness programs require an ongoing investment that educates on rising threats, reminds on basic guidelines, and tests to prove readiness (for example, periodic email phishing simulations). Investment in security awareness programs today is sorely lacking. Over 1,000 security professionals across healthcare and other industries were surveyed for the SANS Security Awareness 2017 report. Here are the sobering findings:

● Only 8% of awareness professionals are dedicated full-time to awareness.
● Over 75% of awareness professionals spend 25% or less of their time on awareness.
● The minimum number of FTEs required to change behavior at an organizational level was 1.4 FTEs while the most successful awareness programs had at least 2.6 FTEs dedicated to awareness. Organizations larger than 5,000 people most likely need more FTEs.

Before you roll out security awareness education, sit in your learner’s seat. What’s more likely to engage you and change your behavior: a series of dry Power Point slides with password tips, or a poster integrated in the workplace with advice from Fluffy?

Invest properly in security pros. Data breaches, malware, and ransomware lead the security headlines, but following closely behind are stories about the shortage of skilled cybersecurity professionals. Yet the average advertised pay for healthcare cybersecurity positions is 25 percent lower than in finance. Pay your security team what other industries pay their team.

Create a partnership between IT and staff. How are you ensuring the IT and staff relationship delivers security without hampering productivity? Too often security precautions get the reputation of coming from the ‘department of no’. When security operates in a silo and issues mandates, employees will find a workaround - and one that may introduce vulnerability. Marin General avoided this predicament by collaborating with staff before instituting changes to help strengthen security. For example, when rolling out enforced encrypted email for PHI, the security team surveyed staff to find out who they talk to most often. Based on this information, Marin sent engineers to the top organizations to build a gateway or encryption tunnel.

Collaborate with peers. Who are you partnering with to get - and stay - smart? Today, criminals collaborate very well on the dark web to offer cybercrime-as-a-service packages. Healthcare organizations need to collaborate to share emerging threats, learn best practices and stay informed. Healthcare associations today, including HIMSS, AHIMA, and CHIME have resources and communities specifically dedicated to security.

Make security part of everyone’s job, everywhere. Healthcare organizations are home to many non-employees who may have access to data - vendors, students, trainees, visiting staff, volunteers, etc. Risk management plans and security awareness programs must take an all-in approach. In addition, while so much emphasis is placed on what happens between the user and the keyboard, there are many more ways to lose data. Aetna just reached a settlement claim for an HIV privacy breach involving a third-party vendor mailing and an envelope window that sometimes allowed the recipient’s PHI, including HIV diagnosis, to shift into view and compromise privacy. Ensure your security tactics include all people and their actions, both online and offline.

You should invest in technology, such as user monitoring software, to thwart insider threats. But technology is a weapon in the hands of your team, and your team will determine your ultimate success or failure. What are you doing to develop and support your team in the quest to battle data breaches?

# # #

About the Author:

Isaac Kohen is the founder and CEO of Teramind (https://www.teramind.co/), an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior in addition to helping teams to drive productivity and efficiency. Isaac can be reached at ikohen@teramind.co.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months