5 ways to be proactive about keeping patient data

As modern medicine embraces technology, keeping patient data secure is now becoming one of the industry’s most pressing challenges.

This is not an issue that can simply be left to your IT department to take care of – security needs to be a company-wide concern, and one that has strong buy-in from the top down. Here are some steps that will help your organization protect its data:

1. Develop a security culture

While reports of malware and online attacks grow year after year, it may surprise you to learn that the largest threat to online security is not a nameless, faceless hacker. Rather, it’s the people in your business.

“The number of cyberattacks is estimated to have risen by 67 percent over the last five years, with the majority of these data breaches being traced back to human error,” researchers reported.

This means that one of the most important aspects of your data security plan is ensuring that you have a strong security culture – after all, there’s no point building impenetrable walls if the proverbial gate is left open.

The number of cyberattacks is estimated to have risen by 67 percent over the last five years, with the majority of these data breaches being traced back to human error.

There needs to be a company-wide commitment to data security: Education about its importance for both the company and patients should be taught from day one, leaving no one in doubt as to the massive benefits of strong security.

What’s more, this culture needs to be instigated from the top down; if you expect entry-level staff to be vigilant about patient security, leadership needs to walk the walk as well.

2. Develop a security improvement plan

One of the first steps in ensuring your security is airtight is to do a security risk assessment and find out where your company may “leak.”

Generally performed by an outside audit team, once this assessment has been conducted and the findings handed down, it’s time to start drawing up a security improvement plan.

More than just a vague idea of how to address underlying issues with your security as it stands, a strong improvement plan will be your blueprint for creating a security system that will have your data safe now and in the future.

Aspects a plan is likely to address include:

  • Changes that are required from the top down
  • The software and hardware required to make these changes
  • The cost of implementing these changes
  • A timeline breaking down how the whole plan will be implemented

Finally, in the ever-evolving environment that is the internet, your plan needs to be updated regularly.

3. Develop secure workflow processes

Virtually all actions within an organization follow a repeatable process; it ensures that when a person leaves or is promoted, it’s relatively straightforward to train someone else to fill their role. So it’s vital that all processes are analyzed step-by-step to ensure that none present an unnecessary security risk.

It’s vital that all processes are analyzed step-by-step to ensure that none present an unnecessary security risk.

If a risky procedure happens even once in a workflow, that means it’s happening each time that process is repeated, thereby increasing the chances of a data breach occurring. Therefore, all company processes need to be broken down into their individual steps and assessed as to how much risk they present, and whether any of that risk is avoidable.

The fact is, it’s impossible to be completely risk averse. Businesses have contained an element of chance since humans first began to trade. However, a smart business takes the time to assess each step of its workflow processes and reduce the possibility of a negative outcome.

Are patients’ personal details needlessly recorded in an external email? Remove them. Is there a chance outdated and obsolete hardware still contains important information? Reassess end-of-lifecycle procedures.

This step is about ensuring that every facet of your business has a security-first undercurrent.

4. Use the cloud

There are a myriad of reasons why businesses are migrating to the cloud, including the convenience it offers, the ease with which it facilitates collaboration and the opportunities it presents for scalability. Importantly, it also offers robust security.

First, most commercial cloud offerings encrypt all data stored on them, which ensures data cannot be accessed without an encryption key. Second, cloud systems are regularly and automatically updated, so while hackers and malware are constantly improving, so too is your data’s protection. And third, in the unfortunate event of a breach, the cloud provides data backup to help ensure systems can be successfully restored with minimal downtime.

5. Develop an incident-response plan

An incident response plan is similar to an insurance policy – you hope you’ll never actually have to use it, but it just makes sense to have one in place.

What’s more, while major companies like Facebook, Yahoo and Sony have experienced data breaches, a recent study found that 78 percent of small- and medium-sized businesses had been targeted by cyberattacks in a one-year span.

78 percent of small- and medium-sized businesses had been targeted by cyberattacks in a one-year span.

The key point is that all companies are targets, so being prepared for the worst just makes sense. Having a plan can help limit an attack’s impact and reduce recovery time, so it’s just plain good sense to have one.

While each step contains more specific sub-areas, a basic outline for a response plan has been broken down into six steps by Carnegie Mellon University's Information Security Office:

  1. Preparation
  2. Detection
  3. Containment
  4. Investigation
  5. Remediation
  6. Recovery

It’s worth noting that rather than a checklist that starts and finishes, a good response plan is a cycle, with lessons learned in the recovery process, then applied to future preparation.

Finally, it’s crucial that your entire organization is invested in the incident-response plan, from the top down – because, again, a strong security culture is led by the executive team.

Cybersecurity should be a primary concern for all employees, from the CEO and board to line managers and workers. Threats can come at any time, so planning and awareness are your best defenses.