HIPAA Data Security
Data Security, Data Insight
Developing the Framework to Protect Critical Healthcare Information Systems
Prevention, Monitoring, Response
“60% of practices and businesses that declare a major breach file for bankruptcy within 6 months.” –Larry Ponemon Institute, FBI Cybersecurity Bureau, 2016.
Healthcare providers as a whole are largely behind the curve when it comes to adopting data security technologies. Meanwhile, the healthcare sector remains one of the most targeted verticals by hackers due to the valuable personal records of patients. HIPAA Compliant Data Security is essential for each and every healthcare organization.
Identify – Developing the organizational understanding to manage cybersecurity risk to systems, assets, and data.
Protect – Implementing the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond – Developing and maintaining the ability to respond immediately and effectively to threats and security incidents.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
- Hard Perimeter – Physical Firewall Security Appliance
- Soft Perimeter – Soft Firewall
- Managed Security
Written Security Policy
Governance, Risk, Compliance Management
Nearly every business in the Nation is subject to compliance with some if not many government regulations regarding data and/or cyber security. The Fair Labor Standards Act, PCIDSS, Sarbanes Oxlade, HIPAA and many other government regulations come with harsh penalties for non-compliance. If you don’t have a written security policy in place, you will have problems. Policies must be in line w/ standards of compliance. Every organization must have standards to implement policies into procedures.
With regards to IT security, no solution works 100% of the time. Bottom lines, if it is on the internet, then consider it public information, unless it’s encrypted. Whether through brute force or social engineering, high level malicious hackers find eventually find a way. Encryption is the only way to ensure the security of your data so that it cannot be read even if stolen. This is especially important with cloud or internet based storage devices. Tools such as www.encryptedcloud.com and Enigma from www.blacksquaretechnologies.com provide personal and business class encryption on portable devices, computers, and cloud accounts.
Protect Your Website
Statistics show that more than ¾ of all websites have one or more security vulnerabilities. For a static webpage comprised solely of product/service information, an appropriate data back-up and clean restore service from your ISP will keep you covered. Interactive, dynamic, and e-commerce websites have far more vulnerabilities and need for security. SSL certs and SiteLock services are just the beginning. Comprehensive monitoring solutions and appropriate response protocol are essential to maintaining customer records and company data.
–Replicate for Recovery
-Store Backups Offsite
Irreplaceable data is lost almost every day by government agencies, Fortune 500 companies, and small businesses. Whether it be a malicious attack, hardware failure, natural disaster, or human error. Regardless of the circumstances, there is no excuse for not having appropriate back-up solutions. Both individuals and corporate entities should have at least one full data back-up per week. Back-ups should be stored offsite, in a secure location. Vault storage and “GoBox” solutions are available from www.perpetualstorage.com as well as a number of other service providers.
Avoid Consumer Grade
Products available off the shelves at local retailers and office supply stores are nearly all consumer grade products and not designed for business or sensitive data. Business class or commercial grade equipment is more expensive, and you get what you pay for. Consumer grade security is easy to breach. Commercial grade products and services utilize better security methods that are consistently tested. When it comes to firewalls, routers, switches, access points, servers, and storage devices the investment in commercial grade equipment provides excellent return on investment.
Know Your Risks
Personal Device Use
Handheld personal devices have become an expected reality today. Having a written policy regarding personal device use is essential for every business. Bottom line is the business is responsible for everything. This major liability can be mitigated to an extent through acceptable use policies. A Privacy and Security Policy coupled with security software are a great start to ensuring appropriate use of personal devices on company networks.
Guarding the Flock/ Admin Access
Malicious attacks from the outside are only one concern, the majority of data breaches stem from individuals with access. Administrators and root access allow users to bypass security. Admins should always log in as themselves, admin and root access should be restricted to a single user in emergency circumstances.
Physical Security is Information Security
Physical data breaches are far easier than “hacking.” Social engineering and brute force attacks are difficult to defend. Physical security is easier to achieve. Passwords should be 12-20 characters. Monitoring is key: How long have they been banging on your door? Did you notice?
No Substitute for Training
The number one threat to your data is, always has been, and always will be your “friends” and employees. 80-90% of company breaches are the result of employee action (malicious or accidental). Employee training needs to be specific and consistent. Training for executives should be different than that of every other level of employee. A weekly email newsletter featuring tips and best practices can be a great way to maintain and ensure company policy.
Passwords Are Not Your Friend
- Use biometrics whenever possible
- Do not re-use passwords
Know When to Call for Help
Less than 3% of IT professionals have the security experience necessary to handle a data breach. Be sure to enlist the professional serives of experts whenever your data is in question.