Cybersecurity resolutions for healthcare organizations
Implement an efficient incident response plan
As the new year is upon us, it’s time to start thinking of some resolutions for the year ahead. Why not try something different this year and set your organization some resolutions based on improving cybersecurity, such as the following:
Talk to your employees more
Human error is frequented cited as the biggest cause of data breaches within the healthcare industry. Our recent survey, Mobile messaging, security & HIPAA: A healthcare overview, supports this claim, as over half of the respondents believe their organization could be doing more to educate their employees on HIPAA compliance. To help minimize costly mistakes by staff, organizations must commit to spending adequate time educating their employees on their obligations to cyber security and HIPAA compliance, through proper training programs and enforced policies.
Review your policies
Organizations should develop or review policies in the following areas:
BYOD – BYOD is a growing trend within the healthcare industry. However, for all the benefits BYOD has to offer, risks exist in equal measure. Within healthcare, BYOD presents a higher level of risk compared to many other industries, due to the obligation to protect PHI in accordance with HIPAA’s rules. Going into the new year, it is critical that organizations have their BYOD policies in order, and that employees are kept up to date with best security and privacy best practices.
Mobile Messaging – The adoption of mobile devices within healthcare environments has soared in recent years, with mobile messaging in particular proving an increasingly popular means of communication within care teams. Our survey found that 78% of healthcare professionals use mobile messaging at work, yet around half of organizations do not have adequate policies in place to ensure safe usage.
Organizations that allow mobile messaging must establish workplace policies that outline details of who is authorized to send and receive clinical text messages, and what the nature of those text messages should be. As above, staff should be trained to follow policies and procedures and be made aware of the possible sanctions that will be imposed if they are violated.
Cloud Computing – In October, OCR released a new piece of guidance to set the record straight on Cloud Service Providers (CSPs) requirements under HIPAA. In short, the guidance confirmed that a CSP that creates, receives, maintains, or transmits ePHI on behalf of a HIPAA-covered entity or as a subcontractor for a covered entity’s business associate is itself a business associate under HIPAA.
With this, covered entities using any cloud services need to ensure that Business Associate Agreements are in place with all vendors who come into contact with ePHI, and, similarly to both mobile messaging and BYOD, ensure policies exist to promote safe practice.
One of the key elements that determines the survival of an organization is it’s ability to recover from a data breach or cyber attack if one were to occur. However, considering the average cost of data breaches for covered entities is now more than $2.2 million, the recovery process is rarely easy.
This is why it is important for organizations to implement an effective incident response plan, which will allow them to recover from a data breach in the quickest amount of time possible, whilst incurring minimal damage along the way.
Organizations should ensure all employees are aware of their incident response plan if they want to get back on their feet as quickly as possible. One of the best ways to make sure an incident response plan works effectively is through rigorous testing – this will expose any potential weaknesses in the system, thus allowing organizations to work on fixing any issues within a safe test environment.
Successful resolutions are the ones that stick. With so much at stake for healthcare organizations operating in the modern healthcare environment, where the risks are diverse and ever growing, cybersecurity needs to be an ongoing commitment.