Physical access to devices is the first and most important consideration in terms of securing data on devices. If a hacker can get their hands on the device, the data can almost always be compromised. This doesn’t just apply to the theft of an actual device. Computers in exam lanes, unattended reception, even stations or kiosks in public use space like an optical station allow access. A station left unattended for even seconds can be enough for a hacker to leave behind a remote command program, which can be hacked later offsite. In short, securing the physical device where data lives or is accessed is step one, and perhaps the most important step.
An IT plan needs to protect data on devices where data rests using secure access methods. A solid security plan needs to include:
- Comprehensive employee tech training: From securing company devices when off-premises to frequently changing passwords, every single staff member needs to be educated about possible vulnerabilities in their day-to-day interactions as well as proper use of software. Employers should also establish procedures to immediately report if a device has been compromised so the damage might be contained.
- Strong password protocol: Complex passwords should have more than eight characters comprised of uppercase and lowercase letters, numbers, and symbols. Spread out the numbers and special characters rather than bunching them together. To ensure the length and complexity is appropriate, use a password generator like the free one from LastPass. Have unique passwords for every user and every account. Co-workers using the same passwords leads to nightmare situations. Enforce a policy to change all passwords at a reasonable frequency—be it weekly, quarterly, or twice-yearly.
- Encryption protection: Encryption is a necessity when sending sensitive information electronically. Encryption of the drives holding the data is also necessary so the thief who steals the device may not be able to crack into it. There are many tools available, but unfortunately setting them up is still a job for an IT professional. Mobile devices and computer operating systems now allow the entire hard drive to be encrypted in a way that is transparent to the user. Without it, data is wide open for the taking if a device is stolen. Encrypting data in digital transit is also important. Securing connections between two systems transmitting data ensures unauthorized listeners on the line hear nothing but gibberish.
- Up-to-date software: Unpatched or outdated software can expose risk as much as not having antivirus program. Keeping software up to date closes security holes they are exploited by hackers.
- Backup and recovery plan: Implement and follow a consistent backup plan. First determine what needs to be backed up: documents, databases, full systems, etc. Determine retention requirements—this may be dictated by regulations, business preference under risk assessment, and/or budget. Choose a schedule and methodology, as well as the technology, product, and vendor. Establish a data restore protocol and schedule and review regularly. Don’t have a false sense of security by thinking you can “set it and forget it.”
A medical entity also needs to think about how the data will be moving digitally—data in motion. This means if the data lives on a server and will be accessed remotely by a workstation or mobile device, the connection between the server and client must be secure. The most common method here is a Virtual Private Network or secure tunnel which encrypts the data traffic between the session of two computers. Users will see this when web browsing as an “s” in the “https” of websites addresses. No “s” means not secure.
Medical providers have the added burden of complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule that “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI (Protected Health Information)” according to the U.S. Dept. of Health and Human Services. Simply installing an antivirus program will not satisfy this requirement. Every computer, laptop, tablet, and server should have the Essentials suite: AntiVirus, Backup, Patching, and Monitoring.
HIPAA compliance also applies to anyone who delivers treatment, operations, or payments in healthcare. In addition to having their own IT safeguards, every hospital and healthcare organization must protect itself through a well-defined and enforced business associate management program. It covers their business associates such as accountants, medical equipment suppliers, and document shredding companies. Business associates are now subject to the same penalties as healthcare providers for noncompliance. If a penalty is issued, it can range from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision.
IT management can be overwhelming, time consuming, or confusing. One solution is to outsource the IT function to experienced, trusted professionals. The best way to look at the benefits of IT outsourcing is to understand that for the same money or less than a staffed employee, a company or organization can have access to more skilled labor with more availability. In addition to mitigating data breaches, the benefits of outsourcing IT include computer repair, employee training, data backup, and recovery and implementation of the best tech solutions, tools, and processes.
Eric Buhrendorf has been consulting and supporting businesses and their IT needs for 15 years. He is the CEO and Senior Consultant of EVERNET Consulting, LLC based in Hartford, Conn. He leads a strong team of technology professionals who execute on his proven experience and methods. www.evernetco.com