While no healthcare organization is immune to cyber-attack, those that implement precautions can either significantly reduce their chances of attack, or at the very least, mitigate the damage in the event of an attack. Administrative defenses are a key component of cybersecurity because they cover the gap that technical defenses cannot protect. In fact, some common cyber-crime entry points are those that technical defenses simply can’t thwart, such as social engineering ploys and phishing expeditions.
This article will focus on administrative defenses an organization can employ to proactively defend against cyber-threat. Below are some of the most effective administrative safeguards:
- Develop and implement organizational-wide security policies and procedures:
- Conduct regular training for new hires, and continuing education training for existing personnel;
- Manage and oversee employee compliance with policies and procedures;
- Enforce compliance consistently, including disciplinary action for violations.
- Review system activity and logs to identify unusual or suspect activity.
- Conduct Regular Security Risk Analyses. Routine security risk analyses will identify potential cybersecurity vulnerabilities as well as better position an organization for an audit. The Security Risk Analyses should evaluate ePHI access, track security incidents, evaluate security measure effectiveness and assess new and emerging security threats.
- Implement a Risk Management Plan:
- Outline a routine procedure the organization will use to identify and analyze potential security vulnerabilities;
- Detail the security gaps identified in those routine investigations as well as in the organization’s periodic Risk Analyses;
- Identify strategies to resolve those open security gaps;
- Assign resources and projected completion dates to all open items.
- Cultivate workforce security awareness:
- Monitor and communicate industry security trends and vulnerabilities; Keep alert to current and emerging threats, and provide periodic security updates and reminders to your workforce;
- Educate your employees on the mechanics of spam, phishing and malware;
- Test workforce awareness by initiating your own internal phishing expeditions to attempt to solicit information from your employees;
- Encourage employees to be vigilant, skeptical, and to adopt a “question everything” attitude. Ensure organizational-wide clarity on the correct and timely reporting procedures of potential malicious social engineering or software threats.
- Limit Access to ePHI. Create and implement policies and procedures that restrict ePHI access to a “need to know” basis. In other words, ensure access only be granted to persons or software programs that require the information to perform normal business operations.
- Enforce Strong Password Utilization. Require high complexity passwords, frequent password changes and prohibit password re-use or passwords containing personal data.
For more information, download our Cybersecurity eBook by clicking on the below link:
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, senior living organizations, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.