3. Conduct more frequent vulnerability assessments and penetration testing

The threat from malicious outsiders – hackers – has the potential to wreak havoc on the healthcare industry. While there have not been widespread occurrences, there can be no room for complacency. Just consider that 12th  largest breach of all time was the 2012 hacking incident at the Utah Department of Health (780,000 patient records).

In our opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. In addition, many health providers process and store credit card information.

To combat this threat, we recommend ongoing vulnerability scanning and remediation. Implement a monthly or quarterly test schedule so that you can compare results and see what you have fixed, what you have not, and what new vulnerabilities may have arisen. If you do not have the resources to do this yourself, Redspin can put you on an auto-scheduled service to do it for you. And consider external and internal penetration testing. These types of tests more closely mimic the paths of malicious attackers and can often expose inter-related weaknesses that would be beyond the scope of typical vulnerability assessments.

4. Invest in the security awareness of your workforce

The lack of security awareness among your employees is your overall biggest risk and the hardest of remediation. But every dollar spent on educating your employees on IT security is an investment in your organizations future success. The task goes well beyond PowerPoint presentations. You need to engage all of your employees in building a culture of security through a process of frequent and engaging security awareness training, of internal training, daily reminders, and visual workplace cues.

Situational training is a must – run social engineering tests (phishing, pre-text phone calls). Reward success. Track what people do in specific situations (good and bad) and integrate that info back into the training. Implement hotlines, place posters on walls, screen-saver reminders, and monthly tips. Redspin, among other firms, can help build and customize an effective program for you.

5. Engage with your business associates

The responsibility of PHI security now officially extends outside the organization. The Omnibus rule legally extends compliance with HIPAA security provisions and direct civil liability for breach to business associates and their vendors. That said, covered entities still retain their obligation to ensure that its business associates are safeguarding PHI effectively.

This story was first published in our sister publication Government Health IT.