It’s hard to believe that January 2017 has come to a close. It’s that time of year where, depending on where you live, you're celebrating your NFL or NBA team as winners. Unfortunately, where Litmos Healthcare is located we are, well, sports losers. We start the year with hope; hope that our teams will work together and execute a solid and winning performance. There’s always that one pass, that one tackle, that one missed basket that was a pivotal turning point in the “season.”
What was your pivotal turning point in 2016? What did you do the incite change within your organization?
Unlike in professional sports, in healthcare, you can’t study your opponent’s film, breakdown their plays, or prepare your team to create a strong defense. Yet, hackers are on the offensive and their Lombardi trophy is your Personal Health Information (PHI). What are you doing to create a stronger defense and protect your home court advantage?
In 2016, nine out of the ten largest breaches were ones where healthcare records were the target thus affecting almost 13 million individuals. Technically, there isn’t any film to break down, but it is apparent that the target is PHI; so if PHI is in the end zone, how do you create a defensive line that protects your end zone?
Start by analyzing your breach risk and begin prioritizing risk mitigation strategies. We all like to believe that our firewalls are secure, our devices are encrypted, our staff is smart on social media, and are aware of the dangers of phishing emails, but even in a perfect world, something will slip through the cracks.
Who’s on your bench? If your defense has a crack in it, what’s your go to plan? It’s imperative to have an updated and well tested incident response plan. Within this plan, the steps needed to protect your organization should clearly be listed, as well as your identifiable resources. Your incident response plan should be clear enough that anyone within your organization can execute it and all safeguards.
According to the Center for Internet Security, you should have:
- Inventory of authorized and unauthorized devices.
- Inventory of authorized and unauthorized software.
- Secure configurations for hardware and software on mobile devices, laptops, workstations and servers.
- Continuous vulnerability and assessment and remediation.
- Control use of administrative privileges.
Gather your team and hold recurring “practices.” Educating your staff on recognizing ransomware and how to prevent it is the first step in developing a strong defense. Many breaches occur after a simple human error (or fumble). Create a game plan through education and let your staff become your human firewall. Out of ten possible entry points, only two are human entry points, therefore you are only as secure as your technology. When was the last time your software was updated or tested? What version of Internet Explorer are you allowing your staff to use while online? The older the version of IE the less secure it is and the more vulnerable your workstations will be.
Organizations are tapped for resources and time, but your compliance education shouldn’t be something your employees dread. If they face the opportunity to learn with negativity, their retention will be less than ideal. You can utilize badging and gamification to inspire them and drive them to want to do their training.