Establishing a strong culture of security in any organization can be tough. I should know. I am a cybersecurity engineer, performing HIPAA-required security risk analyses for healthcare organizations of all sizes. Through the years, I have learned the organizations that take cybersecurity culture seriously continuously remind patients of their information privacy rights, have two-factor authentication on protected systems, give security badges that open secure doors and areas, and much more. Unfortunately, even these smart and commendable tactics are not enough to ward off a breach (and the HIPAA fines that could follow). Through my experience, the ONLY way to create a culture of security is to incorporate these three factors:
The no. 1 Liability
The single most important part of creating a risk-based security culture is addressing the human element. An organization can have advanced technology controls in place on systems and networks, and an employee will always inadvertently (or not) circumvent them.
Antivirus controls are a prime example – they may be automatically installed on all devices, yet the employee still clicks on the malicious attachment in their email, which enlists an attack. It’s imperative the proper security controls be in place AND ensure your employees are regularly educated/trained on cybersecurity.
Get buy-in from leadership
It’s easiest to create a risk-based secure culture when a business is in its infancy. When that isn’t possible, an established healthcare facility can struggle. To make the switch, the conversation must start with administrators and upper-level managers laying the foundation. Once a plan is in place, the message must be communicated from the top down as a priority. This can be via an in-person company-wide meeting or memo/email. It can be as simple as a message from the CEO, “Today we are establishing a more comprehensive and inclusive approach to security and mitigating the risk of unauthorized patient data access. Going forward this is critical to our patients and our business.” Then the management team must be seen implementing smart tactics and being held accountable for security practices.
Learn from mistakes
To ensure buy-in from everyone in the organization, remove the shame and blame. Turn every incident into a learning opportunity rather than making it punitive. This enables conversations by staff to happen more easily and more frequently.
Here's a list of more immediate tactical steps organizations can take to become more secure. These are some of the primary gaps I find in healthcare companies when doing a HIPAA-required Privacy & Security Risk Analysis engagement:
- Identify all locations and devices in which ePHI exists in the healthcare facility and implement the necessary security controls.
- TIP: This control could be a technology control or a business process. BOTH are required in an analysis.
- If biomedical devices communicate, ensure they are on their own network segment, not mixed in with servers, PCs printers etc.
- If mobile devices are used to access business email, then ePHI always exists is in the user’s inbox. Create a mobile device management strategy (phones, tablets, laptops) that includes endpoint encryption, device locate and wipe functionality.
- TIP: If a business’ users get replacement phones and the phones are turned in to the wireless carrier without being reset to factory defaults, that is potentially a reportable breach.
- Manage business associates that have access to PHI. Despite a business’ best security efforts, associates may be the weakest link in a company’s security architecture. And that weak link is still the responsibility of the primary healthcare organization.
- Business process, network and system activity review. In smaller environments in particular, devices are sometimes used (802.11 Wifi access points, internet routers, and firewalls) that do not log data access or security events.
- TIP: If the devices create, store, or transmit PHI, they must log activity.