Why even the best IT security technologies are not enough – you need to build a culture of cyber security
There are two important lessons that thought leadership responsible for protecting ePHI in healthcare organizations should take away from the breaches in ePHI that occurred in 2015. First, it’s clear that there’s been a shift away from lost or stolen devices as the leading source of data breach to cyber-hacking as the primary source. In fact, over 90% of the top ten breaches in 2015 were categorized as “Hacking/IT Incident”. Furthermore, a Ponemon institute survey on Privacy and Security of Healthcare Data found that there’s been a corresponding 125% increase in cyber-attacks on healthcare businesses in the last five years – a frightening statistic.
Secondly, and perhaps not as obvious, is that in many cases, human error – that is, a ‘negligent insider’ within the compromised company – was at least partially responsible. For example, cyber hackers in the 2015 Anthem breach reportedly leveraged a spearphishing attack, using a fictitious but authentic email to dupe employees into giving up their user name and password credentials in order to gain access to backend systems containing PHI.
The proliferation of spearphishing and other social engineering methods employed by cyber-criminals is proof that people may still often be the weakest link in your organization’s security ecosystem. Without proper training and security awareness, even the most robust security technology and encryption may not prevent breaches, as they are initiated from the inside by users with access to highly sensitive information. Encryption, in this case, is rendered useless because the proverbial ‘keys to the kingdom’ have been stolen through social engineering techniques like spearphishing.
Smart IT managers and thought leaders are addressing their organization’s vulnerability to social engineering and other cyber-hacking techniques by creating a culture of cyber security. That means that your employees should undergo proactive education and training on the methods and techniques employed by the bad guys to try to trick them into providing passwords or login credentials. It also means explaining cyber-security in non-technical terms, so that your non-technical employees can fully understand what’s required of them. Lastly, you should revisit your established policies and procedures to reinforce common sense security practices that can often be overlooked or misunderstood in application. For instance, passwords written on sticky notes posted on workstations, or unintentional disclosure of PHI to unauthorized persons in common waiting areas are still common sources of potential breach events.
By demonstrating to your employees that security of protected health information is as important as their patient’s health, you can proactively work to stave off potential breaches. Simply put, everyone needs to understand the importance of staying vigilant and maintaining security consciousness at all times when it comes to ePHI.
A Culture of Cyber Security in Your Organization Can Include:
- Training all staff on comprehensive data security awareness and on your organization’s policies, procedures, and access controls.
- Implementing strict policies regarding the storage of ePHI on unauthorized removable media or mobile (BYOD) devices.
- Deploying strong encryption and security protocols for the transmission of ePHI to Business Associates (BAs) and Covered Entities (CEs), such as secure cloud faxing using TLS encryption.
If you’d like to learn more about IT best practices and other topics related to healthcare IT and secure cloud faxing, you can read our blog posts on Building a Culture of Cyber Security, Defending Against Cyber Attacks, OCR Phase 2 Audits, and BYOD Best Practices at enterprise.efax.com/blog.
As the leading provider of secure fax solutions for the healthcare industry, eFax Corporate can help you to ensure that your fax transmissions containing ePHI are always secure, and help you utilize the strongest encryption (TLS) to protect against cyber hackers and other malicious attacks.
About Michael Flavin
Michael Flavin is Sr. Product Marketing Manager at j2 Cloud Connect, a division of j2 Global and is responsible for the go-to-market strategies for the eFax Corporate® suite of solutions. eFax is the world’s leading online fax provider and helps thousands of companies in highly-regulated industries, including healthcare, to transmit and manage sensitive documents efficiently and securely.
Follow me: SpiceWorks LinkedIn