Guest Column | May 15, 2015

A Great Communications Strategy Is No Cure For A Terrible Cyber Security Plan

HITO Cameron Burke, Cirius Messaging

By Cameron Burke, SVP Business Development, DeliverySlip

It has been more than three months since 80 million people had their most sensitive data stolen during the largest healthcare data breach ever at Anthem Inc. There is little question Anthem executed an effective crisis communications strategy. Customers and the FBI were notified within a week of the breach. Cyber security experts were brought in to evaluate systems and to investigate “potential remedies.” The company set up a website www.anthemfacts.com along with various social media feeds and updates in an attempt to keep those impacted up to date.

From a crisis management perspective Anthem checked all the boxes. However, from an IT perspective, it failed to protect its customer data, allowing “hackers” to use a stolen employee password to access the database. Anthem deemed it a “sophisticated attack,” however many in the IT industry quickly recognized the breach had far more to do with Anthem’s lack of basic security measures than overzealous hackers.

Unfortunately for Anthem’s 80 million exposed customers, the company is learning its security lesson the hard way. For others in the healthcare industry it presents an opportunity to do better. There is no shortage of encryption and security solutions on the market designed to comply with HIPAA regulations, but the challenge for many healthcare organizations is finding the balance between protecting sensitive information without hindering communications and productivity – or blocking them altogether.

Traditional encryption solutions are cumbersome and difficult to deploy and use. More often than not, they require several added steps in order to send a secure message and often force the user to leave their existing email system to enter a different application. For healthcare IT departments, traditional encryption tools often don’t integrate well with existing technology platforms and are complicated to implement with a steep learning curve. Content is sometimes left unencrypted because people want to be able to search the data or need to be available for other business purposes such as analytics. Neither reason justifies leaving data exposed. However, despite this fact, many healthcare organizations are doing the minimum to meet security regulations – Anthem as a case in point.

The good news is that healthcare organizations no longer need to choose between security and effective communication or productivity. There is a new generation of cost-effective technologies available that protect patient data, are easy to use and still leave content accessible. When looking for security and data loss prevention solutions, healthcare organizations should consider the following:

Employee Behavior And Ease Of Use
Understanding how best to secure email communications means finding ways to incorporate solutions that align to employee work behaviors, not the other way around. While educating staff on security policies and procedures is critical, as is having a good crisis communications plan, it is only the starting point. Healthcare organizations should look for solutions that are easy to use and provide unobtrusive protection through content filtering, permission rules and authentication to automatically prevent transmission of sensitive information. The Ponemon Institute reports the leading cause of data security breaches are due to insiders. Look for security tools that include the ability to “call back” the secure messages and attachments after the fact, as well as ones that provide additional productivity features that allow users to track when a message has been read and control whether recipients can “reply to,” “forward” or “print” secure messages.

Ease Of Administration
The best security solutions give healthcare administrators complete access to monitoring the flow of data in real-time, making it easier to identify and address violations. IT administrators should also have the ability to make quick adjustments to the system related to encryption, content filtering, anti-virus and more. Ideal data loss prevention and messaging security tools also enable administrative access using an uncomplicated interface.

Proven Experience In Healthcare Environments
Messaging security and data loss protection solutions have been around for years. Healthcare organizations should be able to find a solutions provider with a history of delivering reliable service that has successfully counteracted data loss. Ask about the specifics of a provider’s history, including details about how their solutions continue to evolve to meet the changing needs of diverse threats, global industry requirements and technologies.

While Anthem’s breach didn’t result from a sophisticated attack, there is little question that sophisticated hackers do exist. No technology can offer 100 percent security or compliance, but healthcare organizations that use an integrated, dynamic approach (that doesn’t just rely on an effective crisis plan), will significantly increase their odds of protecting their customer data and their reputation. This means taking into account end-user behavior (and adapting to it) along with using proven and flexible security solutions that go beyond regulatory compliance to offer greater control and productivity.

About The Author
Cameron Burke, senior vice president of business development of DeliverySlip.