With the ever-increasing risk of cyber attack, Andrew Martin, senior sales & marketing director EMEA & managing director UK at Egnyte, offers his expertise to help healthcare businesses guard against such a breach
It’s a sad fact that sensitive data has become an extremely attractive target for cybercriminals. What’s more, as growing volumes of it get digitised and moved to the cloud, it’s never been more vulnerable to those with the necessary technical know-how and means to try and steal it.
With this in mind, it’s crucial that healthcare organisations prioritise its protection at every possible opportunity, or else risk major embarrassment, reputational damage and regulatory fines in the event of a breach.
The good news is that the right application of technology and protocols can significantly reduce the risks faced without needing to outlay huge sums on every new security solution out there. Below are six of the biggest considerations for organisations looking to keep sensitive data as secure as possible.
- Conduct regular, comprehensive risk analysis
It sounds simple, but conducting regular risk analysis is one of the best ways to quickly identify any vulnerabilities in current systems. Once identified, issues can be addressed before they become the source for a potential data breach. In fact, legislation such as the Health Insurance Portability and Accountability Act (HIPAA) in the US and the General Data Protection Regulation (GDPR) in the EU both require organisations to run regular risk assessments for this reason.
- Limit access to sensitive data to those who need it
Hospitals and healthcare settings often have hundreds, if not thousands of employees, but only a small percentage of these people actually need access to sensitive patient data. The fewer people that have access to it, the lower the chance of a breach (whether intentional or unintentional). For those that do have access, separate login credentials should always be used, meaning access is logged and accountability is created for those accessing it.
For added security, two-factor authentication should also be implemented. This could be simple ‘trusted device’ based authentication, or something more complex, such as a retina or thumb scanner.
- Ensure BYOD policies are properly governed
Just like other sectors and organisations, healthcare employees will often use their personal devices for work activities. This means employee smartphones connected to the company network are another source of security risks. As such, it’s important to have a robust bring your own device (BYOD) security policy in place.
These security policies must include three core components to be effective: a software app for managing connected devices, a policy detailing the responsibilities of the employer and employees, and an agreement the staff must sign. In addition, the policy could include security requirements such as having devices password protected or a list of approved apps that can be installed.
With all this in mind, organisations must remember that BYOD schemes always carry an inherent level of risk with them, alongside the benefits. While robust security policies can help to mitigate these risks, they can never be truly eliminated. So if concerns are too great, it’s better to keep personal devices off the network altogether.
- Only use secure wireless networks
If your organisation’s network runs on old wireless routers then it may be time for a rethink. Wireless routers often rely on outdated technology and can be easily hacked by someone in the nearby vicinity, leaving them vulnerable to data breaches. Instead, consider switching to a more secure wireless network that enforces regular password changes and uses secure components that are much harder to hack remotely.
- Ensure data is collected using fully compliant forms and processes
Collecting patient data in a secure and compliant way, using encryption to protect sensitive information, is a key factor in making sure your organisation doesn’t fall foul of regulatory compliance rules. One of the easiest ways to do this is through the use of specially designed compliant form software like JotForm. Any data entered or stored on JotForm is automatically encrypted to protect privacy and immediately reduce its susceptibility to exploitation in the event of a data breach.
- Put crisis response plans in place before any breach takes place
Sadly, in the current cyber landscape, it’s often not a question of ‘if’ a data breach takes place, but ‘when’. As such, organisations that are serious about data protection need to have plans in place to mitigate such an event. A comprehensive and well thought out response plan gives teams a detailed set of instructions to follow, ensuring no time is wasted should the worst happen.
An effective plan must include all the relevant teams and team members within the organisation (including IT, legal, HR, communications etc), what their responsibilities are in the event of a breach, and who they should report it to.
In addition, organisations should also ensure every employee is regularly reminded of their duties. This means conducting staff security training for company veterans and new joiners alike. It could even include running annual security simulations, where staff are required to put their training to the test in a non-classroom environment.
With new threats emerging all the time, it’s imperative that healthcare organisations take a proactive approach to data protection. Putting robust security systems in place early can help prevent major issues further down the road, preventing at best embarrassment, and at worst major fines and potentially fatal reputational damage. So don’t wait until it’s too late.
For more information, visit egnyte.com