How secure is your business data? Does your company provide security training to your staff to protect your data?
Most data breaches are caused by human error, making human error one of the greatest vulnerabilities in any company’s security. Workforce training could have prevented many of the recent data breaches, which have been caused by lost or stolen laptops and USB flash drives, inappropriate email use, phishing schemes and other hacking/IT incidents, and unauthorized access to data.
- Stolen Laptops: Cedars-Sinai (Los Angeles, CA, August 2014) reported a potential data breach of 500 patients’ medical data as the result of a stolen unencrypted laptop. Breaches caused by stolen laptops were also reported by Sims and Associates Podiatry affecting 6,475 individuals (NY, January 2014) and by NYU Hospitals Center affecting 872 individuals (NY, February 2014).
- Email: Midwest Orthopaedics (Chicago, IL, April 2014) notified 1,256 patients that their health information including surgery dates and descriptions were compromised when someone accessed a physician’s Gmail account. Rady Children’s Hospital (San Diego, CA, June 2014) notified parents of more than 20,000 patients after employees on two occasions forwarded spreadsheets containing their children’s private health information to job applicants applying for data management jobs.
- Phishing: Target’s massive breach (December 2013) was traced back to a phishing email containing malware. Then when Target sent out an email to regain their trust after the breach, cyber thieves took advantage of Target’s email campaign to send out their own phishing scam campaign (January 2014). Need an example of phishing in healthcare? Employees of Centura Regional Medical Center (Durango, CO, May 2014) responded to a phishing email and provided their system login information, exposing the personal health information of 1000 patients.
- Hacking/IT: Community Health Services Inc. (Tennessee, August 2014) reported a breach of 4.5 million patients’ data as the result of the Heartbleed internet bug. Kaiser Permanente (Oakland, CA, April 2014) notified patients that their personal and health information was compromised when their research server was infiltrated by malware.
- Unauthorized Access: NRAD (Long Island, NY, June 2014) reported data involving 97,000 patients was breached by an employee with inappropriate access to confidential data. Memorial Hermann Health System (Houston, TX, July 2014) reported an internal data breach in which an employee gained unauthorized access to the EHR system over a 6 ½ year period and accessed 10,604 patients’ data.
In fact, training of employees about cybersecurity and about appropriate access to confidential data is amongst the administrative safeguards that is part of the workforce training required by HIPAA for healthcare. These safeguards are also relevant to other industries.
Workforce Training and Cybersecurity
Training your employees about these topics will help to protect your company from hackers and phishing attacks.
- Use Strong passwords – Strong passwords are harder to guess. Include upper and lower case letters, numbers and symbols, and a minimum of 8 characters. (Never use default passwords!)
- Use different passwords for each site accessed – If a password is breached on one site, this will ensure it will not unlock data on another site.
- Change passwords periodically – If a password is breached, it will no longer be active.
- Keep passwords secure – If an employee uses another employee’s password, the audit log which records user activity in the business software will record the access to the data by the logged in employee, not the one who accessed it. (Imagine their surprise if employees are accused of accessing data that was accessed using their log-in information.)
- Only access the patient records they need access to (Healthcare) – Even with role-based access control, passwords will provide access to all patient charts in a medical office. HIPAA Privacy training will teach employees to only view the patient records necessary to do their work and to not share PHI with those who should not have access.
- Hover over links before clicking –When viewing links on emails and websites, place the mouse over the link without clicking and check to see where the link will direct you. Cyber criminals use links to direct users to sites to collect data or install malware. Ensure that the link is legitimate before clicking on the link.
- Do not open attachments from unknown senders that are not referenced in the email – It is common for hackers to send malware in attachments, especially in .zip and .exe files.
- Use encrypted email to send patient information and other sensitive information – Sending this information via standard email messages is like sending it on a postcard for all to see instead of in a sealed envelope. Unprotected emails can be easily read by those who are not the intended recipient, and are therefore not a HIPAA compliant means of communication.
- Confirm the identity of callers before providing company information – Phishing can also take place over the phone as callers “phish” for information.
- If using mobile devices, protect the screen from snooping eyes – Someone sitting next to you can easily see you input passwords or read company data over your shoulder.
- Protect devices with company data from being lost or stolen – It is all too easy to leave a phone or laptop behind on a table or to have it swiped when you’re not looking. Secure data on laptops and other mobile devices with encryption.
In the NRAD and Memorial Hermann Health System cases, it appears that the breaches were caused by rogue employees – also known as malicious insiders. The NRAD breach was caused by an employee who had access to the billing program and who used it to “access and acquire” patient information. In the Memorial Hermann Health System breach, the employee gained unauthorized entry to the EHR to view patients’ names, addresses, medical record numbers, dates of birth, health insurance information and Social Security numbers.
Though training would teach employees what it is appropriate to access, training is not likely to prevent someone who maliciously accesses company data for his own use. This type of activity can be detected by monitoring audit logs or by the actions of other observant employees, and can be discouraged if employees know that your company is reviewing audit logs to uncover unusual activity.
Protect Your Company
Is your company doing everything it can do to protect its confidential data? Stemp Systems can help your company do a risk assessment to assess your levels of risk. Using this information, we will recommend appropriate technology and procedures to protect your business. Don’t risk losing your company’s confidential information. Call us.