Protect Your Healthcare Company From a Data Breach | Binary Fountain

February 28, 2020

Ask an Expert: How to Protect Your Healthcare Company From a Data Breach

By: Kieran McQuilkin

data-breach-securityFew things are more personal than health information, and it’s up to healthcare organizations to protect patients from a data breach by keeping it secure. In the digital age, that is easier said than done. 

The medical world continues to grapple with stories of stolen data, ransomware and other security threats to health systems. There is no magic bullet to preventing security breaches, especially with millions of data points stored and transferred electronically. But there are proven tools and processes that minimize your company’s vulnerability.

We asked Mark Beckmeyer, Binary Fountain’s director of IT security, how healthcare organizations can protect themselves from a data breach. Here is his advice:

What implications does a healthcare privacy breach have, that differentiates it from other industries? 

In the black market, protected health information is vastly more valuable than other highly targeted information. The last time I looked, it was about a $20 to $1 ratio – for every $1 you get for credit card information you get $20 for medical information about a person.

One of the reasons it’s so valuable is the personal nature of it, and because financial information can be easily remedied. If your credit card is stolen it could be deactivated right away. Whereas with medical information and PHI, that information is nearly impossible to purge from the black market and, thus, has a much longer shelf life due to its long-lasting usefulness in nefarious schemes.

What are the biggest mistakes healthcare enterprises make with storing and/or transferring protected data? 

The biggest mistake is not knowing where data is internally stored and where and how PHI is being exchanged with other organizations. One of the biggest issues I came across in hospital organizations was senior management lacking knowledge about where their PHI was being used within their environment. It’s essential for those in any data-using roles, from patient experience to accounting to marketing, to know all avenues by which information comes in and out of the organization – and with whom it is shared.

What steps can I take right now to evaluate the security of my organization’s information?

To minimize the possibility of a data breach, the first step is to fully understand the sensitive nature of data that your organization uses or stores. I want to understand how we’re getting information, and if I know it will have PHI in it, is it from a partner of ours or a client? Is this data we’re cultivating ourselves?

The second step is to identify all potential risks to the organization and, third, to test existing safeguards to understand what needs to be fixed. All applicable privacy standards (especially HIPAA) need to be addressed enterprise-wide as well, along with industry best practices for using health data. These steps must be periodically repeated, so all departments across the organization are on board with a risk management program.

Mark Beckmeyer
Mark Beckmeyer

How do I make sure corporate partners and vendors are protecting patient data? 

Understanding the nature of information shared with a partner, such as technology vendors or marketing agencies, will dictate the level of due diligence needed to ensure the appropriate level of protection.

“If the company’s leaders and executive management aren’t committed to security, who in the organization will be?”

If PHI is to be exchanged, the organization must conduct a thorough security assessment of the partner to ensure they are capable of protecting such information. As with your own risk management program, the external entities’ security assessment should be conducted periodically. That requires all departments to keep management abreast of data-sharing partnerships, to make sure they meet certain standards for information security.

How can I best protect my healthcare organization’s data from being lost or stolen? 

Defense and depth. You should look at applying security at multiple layers throughout the environment, from simple card key access on doors and alarms to laptops with access controls, encrypted hard drives, and a comprehensive set of policies and procedures that govern the security program.

Likely the biggest threat for healthcare firms is on the human-error side of security. You can have the best set of policies in the world, but if you don’t train your workforce and can’t push out reminders of procedures, that’s where the biggest threats can occur. The case-in-point is ransomware: One person clicks an attachment and all a sudden it runs rampant throughout your network.

What are the first steps I should take after discovering a privacy breach? 

If a security-related event could jeopardize the protection of the organization’s sensitive information, the first step is communicating it quickly to security teams, who will try to isolate it from other parts of the network. The next thing is to fully understand how much data was exposed, how the incident occurred and how to remediate its root cause.

A very important consideration is to keep senior management informed of the incident status – they play key roles during and after the incident. Such roles include notifications to clients, responding to media inquiries, damage control and government reporting.

If you could give one piece of advice to a healthcare executive worried about their data security, what would it be? 

Make a commitment. Get the right people in there with the experience and skillsets to do what needs to be done. It will take time and effort, cost money and require following additional security policies, but make that commitment and stand by that commitment. If the company’s leaders and executive management aren’t committed to security, who in the organization will be?

Another overarching bit of advice I would give – and this is important – is to not be satisfied with just compliance. No matter your role at a healthcare firm, don’t just stop at HIPAA compliance. Understand, embrace and go boldly into the realm of best practices for security and privacy.

Read more about healthcare data and crisis response:

Want to learn more about how Binary Fountain can improve your online reputation?

Schedule a Demo

 

About the Author

Kieran McQuilkin
Content Marketing Specialist

Request a Demo