October shares two holidays of horror: Halloween and National Cyber Security Awareness Month.
Unfortunately, not a week goes by without news feeds highlighting a recent breach, hack, security vulnerability, or controversy involving online activity compromise. The last decade has been an epidemic of data security breaches and security professionals believe the issues will continue to increase.
“Cyber security is so vast, overall, and I think the perception is that there are systems and protections in place to safeguard us,” said Cindy Bartkus, senior vice president of the Quality Services Division of Registry Partners. “Couple that with the fact that people may not even know what they don’t know [about security], and you can see where awareness and education are important.”
Bartkus makes the distinction between education and awareness, which is a critical point. The first hurdle to training and education is to make employees cognizant of what threats exist externally to their operations, what potential mistakes they can make, and the resulting ramifications.
Kellie Garland, project manager with over a decade working in the Registry Partners’ Oncology Services Division, reiterated the same sentiment of healthcare employees and cyber security: “I think they all … we all, know the risks exist. We may not understand how important we are to the equation and that it’s something shouldered by administration [of a facility].”
A report from Keeper Security on the state of SMB Cybersecurity for 2017 stated the number one reason for data breaches was employees. This is in contrast to the commonly held notion that data breaches occur due to hackers and outside attackers. To compound the issue, Protenus Inc. reported for Q2 2018 breaches that “on average, if an individual healthcare employee breaches patient privacy once, there is a greater than 30% chance that they will do so again in three months’ time and a greater than 66% chance they will do so again in a years’ time.”
Clearly, employees are just as important as very expensive firewalls, monitoring systems, and other technical safeguards in protecting sensitive information from incidents, particularly with the choices they make. But, how do entities and employers increase the cybersecurity awareness of staff?
- Recognize the Importance of People: The choices staff make are vital to cyber security. So, too, is the power each employee has to add to the strength of his or her company or facility, in order to weather the volatile landscape of the digital 21st century. Organizations must empower staff with resources, education, and acknowledgment; just as staff must see themselves as a key component to cyber strength.
- Password Hygiene: Accountants don’t remember all the financial figures for a company. Librarians don’t remember every publication in the library inventory. Neither should users try to remember all their passwords or worse, reuse the same password across multiple accounts. Use password management software to store all your credentials securely, while enjoying the benefit of much stronger randomized passwords. And never, ever share a password with anyone for any reason. Ever.
- Dial H for Help: Commissioner Gordon in Gotham City has the Bat Phone, and the healthcare staff has a lifeline for help in questionable situations. Know who to call or email for help when faced with a potential security decision or issue. Every healthcare entity has a privacy, compliance, or security office, staff member, or team. Make the choice to communicate with them prior to actions that might lead to an incident, rather than (likely) speaking with them after the fact, during an incident investigation.
- Understand the Risk: Employees must understand the results of potential actions before they’re taken.
- What would happen if I open this email attachment?
- Do I know it’s safe?
- If my computer were stolen right now, is that file I just moved to a folder here at risk?
- Considering the ramifications is often a good guide for when to act, refrain, or Dial H for Help.
- Engagement in Training: Healthcare entities must make HIPAA training and security education part of its operations and available to staff. Entities that are very serious about the endeavor, go beyond the typical annual training with more frequent interaction, with concepts and materials more engaging than simply reading a document. However, staff must partner in that training, with a commitment to participate fully and with effort.
Registry Partners takes cyber security very seriously and invites you to join us in this month’s challenge to become stronger and more vigilant in today’s world of increasing cyber threats. We are all important in the efforts to keep ePHI safe and preserve the privacy of those we help and serve.
For additional information and additional resources about National Cyber Security Awareness Month, click here.
Photo by tashatuvango on iStock