Hackers are becoming increasingly proficient in detecting and exploiting security vulnerabilities in healthcare IT security. In response, many healthcare organizations are preemptively working to identify and eliminate security vulnerabilities in operating systems, applications and configurations. But in this quest for robust security controls, end-user practices can sometimes be overlooked. Employee carelessness, forgetfulness and lack of knowledge can create a huge gap in an otherwise secure setting. This gap can make an organization highly susceptible to cyber-attack, security breach, and ransomware. It can also put an organization at risk for costly HIPAA violations that could generate negative publicity and reputational damage.
As a healthcare provider, you already know that HIPAA law requires covered entities to conduct workforce security awareness training. But in addition to achieving HIPPA compliance, this initiative can also provide stronger strategic positioning in the cyber-war arena. In fact, your workforce is often your first line of defense, a sort of human firewall. So how can you best arm your workforce for this battle field?
- Cultivate workforce security awareness. Monitor and communicate industry security trends and vulnerabilities. Keep alert to current and emerging threats, and provide periodic security updates and reminders to your workforce. Educate your employees on the mechanics of spam, phishing and malware. Test workforce awareness by initiating your own internal phishing expeditions to attempt to solicit information from your employees.
- Defend against malicious software threats. Install Malware detection software, and ensure Antivirus software is in place and that both are kept up-to-date. Develop organizational policies and procedures for detecting, thwarting and reporting malicious software. Encourage employees to be vigilant, skeptical, and to adopt a “question everything” attitude. Ensure organizational-wide clarity on the correct and timely reporting procedures of potential malicious software threats.
- Foster accountability in log-in activity. Implement technical safeguards that allow you to monitor and investigate suspicious log-in activity. Audit and monitor system users. Train your workforce to detect inconsistencies in log-in procedures and recognize if their accounts have been illicitly accessed. Develop a procedure for employees to report log-in anomalies, and consistently stress the importance of log-in vigilance.
- Develop a password management game plan. Passwords are one of the primary security breach points, and depending on level of access, can sometimes be “the way in”. Train your users to create strong passwords, require password changes every 90 days, and stress the importance of safeguarding user password data. In other words, arm your workforce against the widespread availability of password cracking tools that can allow hackers to quickly infiltrate your system.
The number of breach incidents that evade traditional security defenses are increasing at an alarming rate, and with the growing prevalence of EHRs, the playing field has become more enticing to hackers. Now more than ever, healthcare organizations should prepare their workforce to help successfully repel security attacks. But don’t underestimate the complexity of security training. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to stay in front of emerging threats. Consider hiring a compliance partner to design a customized approach based on your organization’s unique needs and requirements.
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.