In today’s world, healthcare data is spread across the cloud, end points, within the organizational network, applications, IOT and other places. As shown in a report by KPMG, there has been a significant rise in cyber security breaches around sensitive data.
As per the report, 47% of healthcare providers and health plans faced violations of HIPAA compliance (Health Insurance Portability and Accountability Act). This is a 10% percent increase when compared to KPMG’s previous survey.
In this article we will give you some simple tips to prevent data breaches in the healthcare sector.
1. Follow information security programs
Ensure your organizational practices align strictly with the information security standards of your industry vertical (such as ISO). This will help your organization to develop, deploy and maintain your information security system. If you have to satisfy more than one regulation in your industry vertical, then ensure that the standard that you have chosen looks at other regulatory compliance requirements as well. Example of such regulations are Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), GDPR and others.
2. Have a good audit logging and reporting system
Auditing solutions give real-time analysis of events generated by applications and network hardware. There are many log analytics and data intelligence solutions that are all highly effective in strengthening your network. With these solutions, you can completely understand how information flows through your healthcare environment. Some of these audit solutions can track and analyze logs, and find anomalies in data patterns.
3. Use advanced end user protection systems
Look at end-user security from 2018’s perspective. That is, applying the proper security policies based on what the user is doing, their device, where they are coming in from and so on. There are EDR solutions like Symantec, Cisco, Cylance, CrowdStrike, Carbon Black, CounterTack and others that go well beyond traditional solutions to protect your end points.
4. Take contractors and business associates on board
Healthcare service providers work together, along with a number of other service providers, that offer different services and tools to deliver successful treatments and cures. All your immediate contractors, business associates, clinics, doctors and others must be held accountable for the safety and security of data. As stated in major compliance regulations this is achieved through relevant written business associate agreements (sample HIPAA agreement) that must be signed by all the parties.
5. Be HIPAA compliant
As required by government regulations, healthcare data processors should annually audit their systems for security evaluation. Given today’s increasingly sophisticated cyber attack strategies, it is a good idea to continuously assess your network for anomalous behavior.
- Audit Windows permissions changes find out who can access sensitive health data
- Monitor activities of users who have access to PHI.
- Get real-time alerts as and when an important change happens.
- Audit computers storing PHI for log on and log off events, and network access policies.
- Monitor privileged user group for membership changes.
6. Make employees responsible for data security
To secure an organization’s boundaries, advanced technologies in themselves are not enough. You also need to involve employees. Security best practices state that employees should be seen as an important stakeholder. Train people to not divulge sensitive data through social engineering. For example, what’s the point of having the best antivirus to defend your network if an employee unknowingly divulges sensitive data to a suspect over phone or verbally.
7. Testing makes a difference
Testing helps in determining the effectiveness of your security measures. Do penetration tests and vulnerability tests to determine organizational network strength resilience. You can take help of a security firm to do a through, professional testing. As hackers are always on look out for holes that they can tap, you need to stay ahead of them through professional testing.
8. Do patch management
To keep systems secure, always update systems as and when necessary. The following other things can also be done:
- Have a central console to manage updates for Windows, Linux and other machines
- Have a dashboard to view the job status of updates on computers
- Schedule job to apply updates on a computer group
- Generate list of computers that are not patched and thus are vulnerable