Reduce Employee Email Risk by Taking Decisions Away from Users
Employees and human error often top the list as the healthcare sector’s biggest threat. Considering they are the catalyst for clicking malicious links, engaging with targeted phishing campaigns and mistakenly sending emails to the wrong recipient, it’s easy to place the blame on human error, as explained by Jessica Davis in HealthITSecurity.
Where’s Your Perimeter?
Just 10 years ago, healthcare organizations took security as the need to wrap some kind of security around the perimeter. “In today’s world with cloud, mobility and the need for rapid sharing — where is your perimeter now?” Bower noted. “There isn’t really a perimeter anymore. It’s really where the user is accessing the data.”
“Ultimately, to reduce that kind of risk and enable business agility, an organization needs to protect the data and do it at the level of the user,” he continued. “You need to be able to identify the user, allow them access and enable the user to correspond using secure communication.”
Margarita Gonzalez Georgia Tech Research Institute shared similar thoughts at the HIMSS Security Forum in October, “A lot of the talk is that humans are the weakest link. But the reality is that the human is actually an asset to the organization.”
“So how do we design security interventions — so not just technology, but a holistic approach to policies, procedures, operations — that are human-centered? So together, with technology, you now have human-centered security,” she added.
HIPAA and HITECH Act are helpful as they require organizations to think about how to label the data as sensitive, and “ultimately manage that so the end users don’t have to make risk decisions themselves,” Bower explained. He noted that to get there, organizations need to think about the user as the perimeter of the business, as they’re processing and handing information.
“The first step is to classify information: essentially tagging the information so that it can be treated according to the risk it contains, like HIPAA patient data,” said Bower. “You can’t expect users to make that decision themselves. You need automation tools to guide users though that process.”
He continued, “It creates awareness for the user and relationship with data, while the tools and technology should be able to handle the processing of that information and how it’s classified.”
Next, organizations should embrace and evaluate some of the more innovative technologies designed to protect sensitive data, explained Bower. However, encryption can truly shore up some of these serious vulnerabilities, given that many organizations don’t have processes to eradicate emails after they’ve been sent.
As a result, plenty of this data remains dormant in email accounts. As seen in several recent breaches caused by phishing attacks, leaving patient data in emails is a serious risk. “The consequences of these incidents are obvious: fines, remediation, having auditors crawling all over business,” said Bower. “The good news is that those exact scenarios can be eliminated by embracing new technology to predict when these scenarios may happen to users and give warnings that can avoid inappropriate sharing of information.”
When sharing sensitive information, it’s important to educate the user on how to go about it in the most appropriate way. Bower explained, “It boils down to empowering users with user-centric tools, he explained. “They can get on with business without increasing risk and obviously staying compliant.”
“Organizations need to be able to bring tools that enable very simple and seamless sharing — without making users make decisions themselves. It’s a good best practice,” he continued. “What will it take to avoid users from trying to solve this problem on their own and taking that risk?”
Those tools that bolster security around data sharing are crucial to streamlining data that proves an organization is meeting regulations, as it makes it simple to report with snapshots on where the sensitive data has gone, who has accessed it, how sensitive data has been retracted and whether that access was appropriate, he explained.
“Organizations need to be able to share that information and bring it under one umbrella for compliance purposes,” Bower said. “It’s also a cost benefit, as organizations can avoid going to multiple places to collect that data, which can be disrupted.”
“Tech is tech, and we have to have it,” said David Finn, Executive Vice President of Strategic Innovation for CynergisTek.. “At the end of the day, security is a people issue. Use tools to see what they do and how they can improve and that includes patients. We need to build security, not into the technology, but into people and processes.”
HIPAAcraticRx offers online training and certification to help your staff navigate an array of privacy issues. Contact us for more information as to how we can help keep your data secure.