Okay, it’s time to talk about a subject that nobody wants to acknowledge and nobody wants to spend money to address because it has no immediate or obvious ROI. Let’s talk about information security. We’re all aware that HIPAA violations are bad, and many of us are aware of HOW bad it can get, financially speaking. This doesn’t even include the possibility of class action lawsuits from victims who have their identities stolen. But enough fearmongering! Let’s get to the meat of how upper management, who may not be on the pulse of the IT security world, can help prevent these cases from happening.
To give you some background, I do a lot of the technical backend work at Galen and have a ~15 year background in IT and security work (not necessarily healthcare-related), so I have gotten to see behind a lot of curtains in many, many different environments and organizations. My recommendations come from what I see as the most common vulnerabilities that can be solved with the least amount of effort and cost.
I will be breaking this blog entry into two parts since there is a lot of information. So without further ado, here are some easy-to-implement tips:
- Email is NOT A SECURE FORM OF COMMUNICATION. Every email you send gets bounced through public intermediate devices that eventually make it to their destination, and due to the openness and decentralized nature of the internet, it’s all sort of done on the honor system. There are nefarious ways to set up a router to read every bit of unencrypted data that passes through it, and it is simpler than you may assume. To give you an idea of the kind of path that email can travel, you can try this little exercise. On your Windows PC, go to Start > Run and type cmd and hit Enter. Once the command prompt is on the screen, type tracert galenhealthcare.com and hit Enter. This is what’s called a “Traceroute”, and it will show you every device that your information packet is sent through. It only takes a compromise of data at one of these points for you to be held liable for not taking precautions. I first recommend to NEVER send ePHI through email. It cannot be stressed enough. Second, encrypted files (like ZIP files) can easily be compromised once captured, so not even those are secure enough. Third, I recommend investing in a secure email solution, such as the one that Cisco and other vendors offers where the recipient logs into a secure web site to read and reply to messages. Sure secure email solutions can be annoying for employees, but they are a necessary annoyance.
- Train ALL of your employees (including upper management!) on the dangers of social engineering. Read up about social engineering nightmares. Having a data compromise come from a social engineering accident is not only embarrassing, it’s incredibly preventable and is much harder to defend against legally. At least with data security policies you can provide documentation saying showing you took the appropriate course of action, but for a phone call that wasn’t recorded for an employee that got scammed? Try to imagine that scenario. In the security field there are countless stories of these types of failures and it is not something that is publicly talked about in specifics (see: previous comment about how embarrassing it is for a CFO to get scammed by a 16 year-old). I recommend a policy where, if someone is requesting confidential information from a member of your organization over the phone, require that they send an additional email confirming their identity, and list the information they are requesting in that email. The requested information can then be given confidently over the phone. I can’t tell you how many times I’ve called members of an organization legitimately requesting confidential information after stating who I was with, and I was given the information unchallenged. Granted, usually there is an understanding of which company they’re working with, but this is what social engineers do by trade. Get that extra layer of confidence. It doesn’t take long to fire off an email from a legitimate client, and your clients will appreciate your proactive effort because it protects them as well.
- Have regular meetings with your IT department on the policies regarding your employees’ and contractors’ network access. For trusted contractors (like Galen!) it can be one thing to keep a network account enabled over a long period of time, but for the employee that got fired a month ago for stealing cups from the break room? That account needs to be disabled immediately, and the disabling needs to be confirmed by at least a second party because we all make mistakes. In addition to access reviews, you should review login audits with your IT department. This is also the kind of thing that HIPAA audit boards single out as the first point of compromise and the fines for lapses in operation are significant. Windows and MSSQL keep very detailed records about successful and failed logins, and although most institutions pay zero attention to these logs, you could setup a recurring audit report and deliver it via email. This goes DOUBLY recommended for multi-site organizations where logins can cross network domains. This practice can not only better secure your organization, it can also indicate if there is a configuration problem with some piece of software that you previously unaware of.
Keep an eye out for Part 2 as we dive further into easy-to-implement policies and strategies. For further information on how Galen can help your organization with information security, please contact us at firstname.lastname@example.org.