By Isaac Kohen, founder and CEO, Teramind
When it comes to data breaches, it’s very possible that the threat comes from within your organization:
These insiders may be negligent employees who prioritize speed over security, succumb to curiosity, or fall for email phishing scams. Insiders can also be malicious, selling PHI for money or to ‘get back’ at an institution. Regardless of the motive, the insider is often the weakest point within even the most robust security plan.
However, there are several things you can do to ensure employees are security conscious and to mitigate against an insider attack.
Develop An HR-IT Partnership
The human resources team should work closely with IT to monitor for instances of suspicious behavior. Some descriptors of insiders at risk of becoming a threat are greed/ financial need, unexplained financial gain, compulsive and destructive behavior, ethical “flexibility”, and reduced loyalty. HR is likely to get the first indication of suspicious behavior and can alert IT to the need for increased online monitoring.
Put Special Emphasis On Onboarding And Offboarding
Onboarding — beginning at the hiring phase — provides opportunities to properly screen and vet candidates and ingrain safe data practices from day one. Offboarding procedures should include steps to ensure that HR notifies IT in order to revoke access to applications and facilities.
Deliver Initial And Ongoing Security Awareness Training
This training must be mandatory for everyone in a hospital or physician practice who has access to data, and it must go beyond dry Power Point presentations in order to be effective. Phishing simulations, gamification, bite-sized learning, and rich e-learning courses do a better job of gaining attention and ensuring retention. Education sessions can also be used to share the characteristics of malicious insiders so fellow employees know what concerns to raise to management. Here are some innovative — and impactful — approaches to security education:
Conduct A Threat-Response Simulation With Senior Leaders
Today, it’s a matter of when, not if, you will encounter a breach. Develop and conduct a threat-response simulation with your leadership team. Such a simulation helps to ensure that leadership is prepared to respond to a data leak with prompt actions to close the leak, inform those impacted, report to appropriate agencies, and document lessons learned.
Use Online Monitoring Software To Listen For And Alert On Breaches
Such monitoring technology logs access to data and alerts IT staff to suspicious behavior such as data transfers going out of the organization via email, USB devices, or cloud services. Prompt attention to such activity mitigates damage and allows for rapid notification of affected parties.
Finally, remember you’re not alone in the effort around data security. Harness the wisdom of your peers. Resources such as the National Health Information Sharing and Analysis Center, the CDC/Department of Health and Human Services cyber discussion guide, and the Healthcare Information and Management Systems Society (HIMSS) Healthcare Cybersecurity Community can help you stay informed and prepared.
About the Author
Isaac Kohen is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior in addition to helping teams to drive productivity and efficiency. Isaac can be reached at email@example.com.