In the face of an ever-evolving, more-sophisticated threat landscape, medical organizations continue to explore ways to protect their assets. Securing private patient data and personal information contained in electronic health records (EHR) is a challenge that demands agility and top-shelf technology today. Every organization can, and should, take measures to enhance network security and strengthen oversight protocol.
Prevent leaks with privileged asset management (PAM). Implementing strict access protocol has been used for quite some time to limit who has access to which files. However, while this step is a good start, more can be done. Based on industry research, research firm Gartner recommends administrators establish controls that address “inventory, classification and use of privileged information” within files. Monitoring how data is used, who attempts to extract or modify documents, and where record access originates helps IT teams spot potential threats, empowering organizations to identify possible problems early rather than react after a breach has occurred.
Implement training programs to enhance internal security. Everyone is concerned about external threats; however, internal threats are a significant problem some administrators fail to adequately address. Poorly trained staff members — along with disgruntled employees — may share passwords, post privileged information on social media platforms, fail to keep sensitive information in secure storage areas, or download files corrupted with malicious code. Training programs must focus on security and clearly identify the risks associated with inappropriate actions.
Conduct an internal audit. Everyone probably remembers the uproar when auditors revealed HealthCare.gov had serious security risks, including about two dozen database vulnerabilities classified as “severe or catastrophic.” One issue identified was failure to encrypt data, something every organization should be doing in light of the current landscape. Failing to encrypt personal data is “inexcusable,” deputy director for consumer privacy at the Center for Democracy & Technology told Fox News in a 2015 interview. Hiring an external asset management firm or security expert to conduct a thorough audit of an organization’s security system is an excellent first step. Adding a revenue cycle management review and training program evaluation goes even further to make sure your facility or practice is doing everything it can to protect your assets and stakeholders.
Know which assets you own and where those assets are at all times. Technology exists today that enables leadership to maintain a constant vigil on financial assets. Monitoring physical assets is equally important. Health insurer Centene Corporation announced earlier this year it was actively looking for six missing hard drives that contained close to 1 million personal health records, records containing social security numbers, birth dates and other personal information. Especially in an age where physicians, clinicians, third-party vendors and other health IT partners routinely access medical networks and information is digitally shared for research and development, it is imperative to establish policies that monitor equipment movement.
Vet vendors and external stakeholders carefully. The best training programs, hyper-vigilance and the most advanced sandboxing technology cannot fully protect your network unless you consider how external stakeholder relationships impact your security. Allowing third-party vendors access to your network is risky, unless you know who they allow access to their networks, or take measures to monitor incoming traffic diligently. Deploying technology that enables your medical organization to isolate and examine incoming traffic in real time strengthens oversight.
At the end of the day, architecting a rigorous security system is mission critical. Building a capacity to monitor traffic, applications, IT services, devices and perimeter edges is imperative to properly identify and respond quickly to known and unknown threats. Risk management dramatically reduces exposure. In the same way that preventative health screenings and patient education programs improve patient experiences and outcomes, planning for the best and preparing for the worst is the best approach to protecting privileged data.
Rob Martoncik works as the Technology Strategist for Column Case Investigative, a software solutions company for the legal and investigative industry. Rob works as a customer advocate and strategist to ensure alignment with business objectives and drive improved organizational service delivery. He possesses a wealth of knowledge around enterprise service and business process management consulting.