Because the COVID-19 pandemic, the best way we work has essentially modified. Gone are the times the place a neighborhood workforce confirmed up every day to work onsite at company workplaces. In the present day, you’re extra more likely to discover a hybrid (dwelling / workplace) setup or, in some circumstances, a completely distant workforce. These modifications imply we have to take a detailed take a look at our data safety insurance policies and procedures.
Most healthcare suppliers have relied on the community perimeter to safe community infrastructure, the place community endpoints are related to a managed community, protected by applicable safety controls at related entry factors (firewalls, managed Wi-Fi, and bodily safety). Within the new hybrid world, the community perimeter is extra more likely to be an worker’s particular person system. How can we guarantee treasured healthcare information is sufficiently secured in these circumstances?
Listed below are 5 steps it is best to take proper now:
- Know your gadgets. We are able to’t safe what we don’t learn about, so stock what gadgets are in use, and the place. Are customers solely utilizing company-supplied gadgets, or can we allow using private machines? There are completely different safety considerations with every. Contemplate using a cellular system administration (MDM) answer to offer centralized management of all gadgets in order that directors can handle software program updates and patches, safety controls reminiscent of disk encryption, USB restrictions, and password necessities.
An MDM answer additionally enables you to remotely lock and wipe a tool ought to it change into misplaced or if the consumer exits the group. If user-owned gadgets are permitted, take into account further controls reminiscent of information loss prevention or using a distant desktop/workspace instrument to stop delicate information from reaching a consumer’s private machine.
- Improve your anti-virus / anti-malware strategy. Conventional merchandise don’t supply ample safety in opposition to in the present day’s extra superior threats. Consider using a next-generation anti-virus endpoint detection and response (EDR) answer that displays all endpoint exercise and can alert directors to any suspicious exercise / indications of compromise so you possibly can act shortly.
- Reinforce your entrance door. Guarantee all logins are secured utilizing multi-factor authentication and implement single sign-on (SSO) the place attainable. This enables an administrator to dam all entry simply ought to an account change into compromised. Audit all consumer accounts recurrently for indicators of suspicious exercise, and to make sure that dormant accounts are disabled.
- Contemplate digitizing your workflows. Each step of healthcare entails the alternate and overview of bodily paperwork: affected person consumption and consent, insurance coverage verification, appointment administration, fee processing, and so forth. Guaranteeing doc safety is straightforward in a managed space with managed gadgets (computer systems, printers, fax machines) and entry to safe doc disposal. With a distant workforce, how are you going to confirm that employees are managing this data appropriately? Contemplate partnering with a vendor who can digitize this entire workflow for you. Not solely will this vastly scale back the safety threat related to improper dealing with of delicate data, you may also drive improved affected person engagement and success by providing digital self-service choices.
Hold the people within the loop
I’ve talked primarily about technical controls, however let’s not overlook what’s arguably the largest threat issue of all: the human factor. Even the most effective technical controls on the planet can’t forestall a person from making a easy mistake with large penalties. It begins on the prime: safety have to be a part of your organization tradition and that message ought to come from the C-suite. Your worker consciousness program ought to lay out what’s, and what’s not, allowed. Be certain everybody understands how severe the implications might be if we get issues mistaken. Guarantee you might have properly documented, easy-to-follow procedures for dealing with delicate information, and an open communication channel so your workers can ask questions if they don’t seem to be positive on the right solution to do one thing.
– Commercial –
Educate workers on social engineering, phishing, and ransomware assaults in order that they know what to search for and what to do in the event that they suppose they’re being focused. Be certain they’re conscious of the dangers related to public, unsecured Wi-Fi networks. Contemplate mandating using a VPN connection when accessing delicate data remotely.
Your worker consciousness perform shouldn’t be an annual, ‘tick the field’ train to make sure compliance. As an alternative, develop an ongoing, steady course of to make sure you are doing all you possibly can to be safe.
After getting all of the above in place, take into account certifying your data safety program in opposition to a longtime framework reminiscent of HITRUST CSF or performing a SOC 2 Kind 2 attestation audit. This makes it clear —each internally and along with your companions and clients— that you’ve ample insurance policies, procedures and controls in place, and that they’re working successfully.
Nick Lees is the director of knowledge safety and compliance at Luma Well being. Nick has greater than twenty years of expertise in Safety, Compliance, and Infrastructure Engineering working for organizations throughout the globe reminiscent of Luma Well being, Crimson Canary, Thomson Reuters, and IBM. Join with Nick on LinkedIn.
– Commercial –