The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) are educating healthcare organizations on the importance of detecting and responding to data breaches, while enforcing penalties and fines for those who are noncompliant. According to the Ponemon Institute, the 2017 average cost of a data breach in the US has risen to $7.35 million. Organizations have had no choice but to take cyber security and privacy seriously.
A lack of preparation may result in paying extraordinary fees to security forensics specialists once a security breach occurs. Below are 5 tips and insights on crafting a process for managing healthcare investigations and mitigating risk.
1. Invest aggressively in information cyber security and privacy programs
If you assume that because you are HIPAA compliant, you’re protected, then you’re in trouble. Pay attention to securing the data not just adding a check to the HIPAA compliance check box. Being compliant does not mean an organization is secure and can result in major breaches. HIPAA and HITECH laws should serve as a baseline for regulatory and compliance fulfillment. Information security bad actors are moving at a pace faster than ever, and the HIPAA laws were written for a different time when these types of threats did not exist.
2. Hire information security, privacy, and governance experts directly or in partnership with a third party
Take their advice seriously, balanced by business judgment. Adding the responsibility of governance and security to an existing executive’s responsibilities doesn’t work anymore. These areas are far too complex, time-consuming, and fast moving to be treated as an extension of an existing role. Hiring a CISO or a CSO can provide an organization with insight into security and governance in all areas of business and will set the organization up for long term success. Oversights and mistakes can be made as business is conducted without security and governance in mind, resulting in costly fixes in the long run. For smaller organizations without the means to hire a Security Officer, partnering with a third-party security services firm will provide essential guidelines and a roadmap of the future in terms of security and governance.
3. Evaluate where your most sensitive data is in combination with who has access. Once users are better identified, you can now implement a more effective security strategy
To monitor what users are doing, you should first identify who they are. With the large number of mergers and acquisitions in the healthcare industry, coupled with the robust number of cloud applications touching an EMR Application, user identities become more difficult to identify. Furthermore, under the HIPAA Security Rule, all applications containing PHI are subject to the HIPAA Laws. There may be a first name, last name, and user ID, but no explicit oversight of where this user has access from- it could be an internal associate or an external affiliate. These incomplete user identities must be accurately identified to adhere to the Security Rule. FairWarning® monitors millions of users, when a sample of 50 customers with over 1 million users monitored was taken, it was found that 26% of that million or 260,000 users were poorly known to the care provider. Through our dynamic identity intelligence technology, users are discovered and centralized; once identified these users can now be governed, monitored, and trained.
4. Implement an aggressive data-user monitoring program
To predict and prevent potential breaches, healthcare organizations can use behavior analytics and auditing. Per a recent Verizon Study, 63% of breaches involve compromised user credentials, which often fall into the hands of malicious outsiders who can gain access to mission critical applications and systems. Specific careless users need to be identified to decide who needs training, sanctioning, or both.
5. Aggressively train employees in security and regulation and be sure to remember to reward positive behavior not just punish offenders
Creating a workforce culture surrounding compliance, accountability, cyber security and privacy can provide value. Training users on security and regulation through a Learning Management System (LMS) contributes to a successful program. Governing and sanctioning offenders strengthens accountability, but rewarding positive behavior will further strengthen your culture. The idea is to move towards preventing data breaches rather than discovering breaches before the damage has been done.
No matter where you stand in your security and compliance posture, there is room to reduce risk and unexpected costs associated with healthcare investigations. Truly securing PHI takes a multilayer security approach involving both technology and people security. Through proactive monitoring and employee training, your organization can be positioned for long term cyber security and privacy compliance success.