In 2014, over 95% of all security incidents were the result of human error. In the health industry this is particularly alarming as not only are security incidents potentially harmful to the organization’s reputation, it is also quite costly as fines and penalties of breaches are reaching an all time high.

Exploited electronic health care records can endanger the patient’s health as well as their privacy and security. In 2013, the calculated cost of medical identity theft was $12B, along with patient safety in terms of misdiagnoses, delayed treatment, or incorrect prescriptions. Costs are likely to increase as more breaches occur.

Economic incentives for the quick adoption of Electronic Health Records (EHRs) have prompted health care groups to rapidly adopt EHR systems. Unfortunately,  organizations have not adopted cyber security measures at the same pace. Hackers are aware that the health care industry has taken a lax approach to HIPAA and are exploiting the vulnerabilities in healthcare cyber security measures. Hackers are becoming increasingly more sophisticated. It is predicted that there will be a 125% increase in the number of intentional attacks over the next 5 years. The solution is to create a culture of security with your employees. To help get you started here are 8 easy steps to take:

  1. Teach Password Management: Passwords are the weakest form of protection; however, poor password management policies can break an organization’s entire cyber security system.
    • Be sure staff is aware of the password creation requirements (length and complexity)
    • Make sure they are aware of password expiration lengths – also tell instruct them that just changing a number or symbol does not create a strong new password
    • Have a system in place for them to store their passwords securely (under the keyboard or on sticky notes isn’t secure)
    • Don’t allow password sharing
    • Teach the dangers of using the same password for different systems/sites/personal/professional – we all know this is a pain; however, if they have a good storage and management system in place this becomes less of a headache
  2. No Social Media at Work (even while on break): This is a tough one. But the work computer is just that a WORK computer and should not be used for personal use even if the employee is on a break or at lunch. Social media sites are a hot spot for embedded malware and click bait links that direct users to dangerous sites. It is also easy to snap a selfie at work and post it to social media sites where PHI or a patient may be visible in the background.
  3. Speaking of Social Media: Social Media even while at home and not posting work selfies can be potentially dangerous to your organization. Social media is a great hunting ground for would-be phishers to gather information for either spear phishing or identity theft. Teach your employees the importance of applying the maximum security settings on their social media accounts.
  4. While we are talking about Phishing: Phishing is not a new concept, it has been around since the dawn of the internet. It continues to be an effective form of theft/hacking because despite better awareness of how dangerous opening attachments or clicking on links without first confirming with the sender the legitimacy, employees continue to allow malware to spread through the organizational network because they cannot resist the bait.
  5. Phishing isn’t just electronic either: That’s right, remember how I said how important it was that social media accounts be set to the highest settings? Basic corporate and personal information is generally available online, no need to make it easier for criminals to victimize you. Phishing scams over the phone call with what appears to be a legitimate reason. Train your staff to be alert and wary of callers calling asking for sensitive information over the phone.
  6. Lock Computers and Devices: If you aren’t sitting at your desk or in front of your laptop, you don’t need the screen to be visible to the world. Implement a short interval auto-logoff fail-safe; but, still instruct your staff to lock all devices when they step away, even if it’s just for a minute.
  7. Train your employees: This means more than just a HIPAA 101. Training your staff on the rules and regulations of HIPAA can be beneficial; however, it is not what is required by the Security Rule. The Security Rule mandates that HIPAA covered Entities and their Business Associates train their staff on their policies and procedures. It is not sufficient to tell your employees that they have to protect their passwords, you must instruct them on YOUR organization’s procedures for password management. Periodically sending security reminders and short training sessions on security vulnerabilities is a highly affective way of training your employees and reducing your security vulnerability.
  8. Take an Active Role: Explain that employees must use common sense and take an active role in security. If they see suspicious activity, they must report it. If employees become aware of an error, even after it has happened, reporting it means something can still be done to minimize the damage. Cyber security is a matter that concerns everyone in the organization, and each employee needs to take an active role in contributing its security.

Instructing your employees these simple security tactics and greatly enhance your organization’s security. Contact us to learn how you can use HIPAAtrek as your organization’s guide to HIPAA privacy and security.