Culture of Confidentiality Part IIOctober 23, 2015
Your Health Center’s biggest information security threat is… your employees?
Information Security Professionals are constantly on the watch for new threats. Technologists deliver strong computer policies, database and device encryption, managed antivirus solutions, advanced redundant firewall technology, and intrusion detection systems. The amount of cost, time and effort that goes into delivering these systems can eat up a large chunk of any budget, and in the end it can all be thwarted by the part-time appointment scheduler working at the front desk.
A critical component to protecting your Health Center’s protected health data is the establishment of a culture of confidentiality within the office. Staff can get themselves in trouble with email, on the internet and with their mobile devices. Getting your staff to think about privacy and security first when making decisions can go a long way. Don’t let security and privacy training end at Federal HIPAA/HiTech regulatory training.
Today’s hackers are employing new methods. They know they don’t have to hack the data itself, they just have to hack the people with the access to the data. Recently a string of security breaches were attributed to employees whose credentials had been compromised (outside of the office) allowing data thieves to operate unnoticed for long periods of time. Train staff situationally so they will know what to look for and how to react. A work force that knows how to spot suspicious activity will be your best defense.
Here are just a few areas to start with:
Antivirus can’t always protect you
Most health centers these days employ anti-malware that can stop most viruses and spyware from getting into the building. The staff needs to understand that antivirus and anti-malware technology is reactionary at best. While it does a great job, there will always be some new malicious code or new variant that your software definitions don’t know about yet. Train staff never to open an attachment that they aren’t expecting. If a message is legitimate it can always be resent. Reinforce the risks of ‘casual’ computer use at work. Ensure employees know the risks of giving out their work email address for personal use. Remind staff to use your Health Center’s systems for work, and nothing else.
Don’t get hooked
Phishing emails pose as legitimate messages, but contain links to websites that are looking to steal your data. More aggressive phishing scams will install ‘listeners’ on your computer that can capture keyboard strokes containing usernames and passwords. Many phishing emails look as if they are perfectly safe, but on closer inspection they can be spotted quite easily. Look for email addresses that don’t quite make sense or match up to the sender’s name or company name. Keep an eye out for poor spelling or grammar, or misplaced phrases. Be aware that government agencies, your credit card company, and the major shipping companies out there do not send out emails requesting information. Moreover, there is no one stranded in another country with millions of dollars for you if you can simply wire them a few thousand. All of these are attempts to get you to log into a nefarious site, giving the criminals all of your personal data (which might include usernames, email addresses and passwords). Again, if you aren’t expecting it… delete it.
Be wary of social media
We can’t help ourselves. We’re posting everything these days, and many people fail to make use of basic privacy options available for such sites as Facebook, Instagram and Twitter. It’s not hard to find out where you live, where you went to school, your marital status, and the names of all of your kids, your dog, your cat and your bird. It’s all out there because you put it out there. Because of that it’s probably not a good idea to use passwords derived from family names, or your graduation year from high school. Teach your staff to use complex passwords and never to share them. Employ strong password policies on your network that disallow the use of the same password every other month, and force users to change their passwords regularly. Also explain to your employees that their password is their ‘identity’ on the network. If I steal your password, I can do lots of bad things, all in your name
Remote Access and Spyware
BYOD (Bring your own device) is driving IT security mangers bonkers. Everyone wants to get their email on their phone and wants to log in from home, using their home computer. Privacy and Security training at work needs to translate into a more informed workforce at home. Train employees to know that if they get hacked at home, and they connect to work, then they themselves might be responsible for a data breach at an organizational level. They need to demonstrate that they are also using anti-malware software (that is updated daily) on their home networks. These days many internet service providers offer free anti-virus and firewall software to their customers.
Overall, a staff that is trained to protect themselves on the internet is going to do a better job of protecting not only their own information, but also the Health Center’s. A staff that is “hyper-sensitive about security” is much better than one that is “security indifferent”. Make sure your employees know who to contact when they do spot suspicious activity on your systems and that you have a plan for responding to their reports. The time spent training up front will help protect your organization from the huge costs that data breaches bring with them.