- When it comes to protecting sensitive information and maintaining strong healthcare data security, it is not a matter of revolutionary changes, but rather evolutionary change, according to Kate Borten, president and founder of The Marblehead Group.
In an interview with HealthITSecurity.com Borten explained that even with the technological advances, covered entities cannot overlook the basic areas of security. This includes being aware of the dangers of visual hacking, especially as more workforce members are using mobile devices in healthcare facilities.
“It’s a very persistent problem because of human nature,” said Borten, who is also part of The Visual Privacy Advisory Council. “Snooping, peeking, prying: it’s been around forever and I’m afraid it always will be.”
Covered entities need to at least be aware of the risks and understand what prevention measures can be taken, she explained.
“In a healthcare environment there are lots of places where visual privacy, or visual exposures can occur,” Borten maintained. “Whether it’s patient information on papers or computer screens, or whether they’re on fixed devices. People are also increasingly mobile, and walking around with tablets, mobile phones, so there’s exposure through those screens as well.”
Borten added that information could be visible on workstations that physicians, nurses, or other healthcare employees have access to. If the screen is facing out toward the hallway, sensitive data could be seen, even if it is not being done intentionally or maliciously.
The HIPAA Privacy Rule allows for incidental exposures, she explained, but that is really only acceptable if an organization is doing everything that it reasonably can to keep sensitive information secure.
“Sometimes the solutions are simple and basic, such as re-angling a device,” Borten advised.
Using employee training with other technical advancements
Comprehensive and regular employee training is also a critical aspect to creating strong healthcare data security, according to Borten.
“You need to start with simply making the workforce aware of this risk, because if you work in a healthcare organization, you’re just immersed in patient information daily,” she said, adding that there is even a tendency to become desensitized to having that information readily available.
It’s about understanding that the information is sensitive and also being aware of your physical surroundings, Borten stated, such as being aware of who is walking behind you while you’re working on a computer.
A “clean desk policy” will also be greatly beneficial, she explained. Employees need to understand that if they walk away from their desk to take a quick look and make sure there are not loose papers lying around, or that they have completely logged off.
Privacy filters can also be a good tool to add, she said. However, having an overall awareness to who might be able to see information on a screen or on a piece of paper is essential.
In terms of technical safeguards, something as seemingly simple as automatic log offs or having a screen lock can be critical.
“There should be a workstation timeout,” according to Borten. “Or a password protected screensaver pops up after just a few minutes. It’s a very important use of technology there.”
However, she cautioned that this should not be a substitute for teaching users good security practices.
One recommendation from Borten is that covered entities implement a “walk around audit,” where managers or company leaders simply walk by work stations to see who failed to log off, or if there are papers lying about with PHI and other confidential information.
Even copiers or fax machines could lead to security issues, as employees may send something to a printer and then forget about the papers. Or, they may use a flash drive for printing, but leave the device in the printer.
“It’s an awareness,” Borten said. “It’s reinforcing the training and the right ways to do things. But it also helps identify a particular department or area, or device that might be exposed. [The walk around audit] is a really good tool.”
Looking ahead to key issues in 2016
Overall, Borten reiterated her point that healthcare data security is more about evolution, rather than about revolutionary changes.
Malware will likely continue to be a major issue in the New Year, along with phishing scams. The latter of which has only continued to become more complicated and difficult to distinguish between legitimate emails.
“Increasingly, phishing attacks are looking more and more authentic,” she cautioned. “If [cyber attackers] send out a million of these messages, all they need are a handful of people.”
Borten added that she advises her clients to hover their cursor over a link, which will reveal what the true URL is. On mobile devices, she explains that doing the “long press” is helpful. This is where an individual holds their finger down over a link, and then a pop up should appear with different options. It will also show what the true URL is, she explained.
“It’s an ongoing challenge,” Borten admitted. “Just teaching people, raising awareness…these are life skills because everybody’s on the internet now. They’ll help you in personal shopping, banking, as well as at work. There’s a receptive audience there when we teach our workforce these kinds of things.”
One important evolutionary aspect that Borten has seen is that healthcare organizations are finally developing an internal information security expertise. There are more people who are ISOs or CISOs that are really studying the field, and gaining certifications such as CSSPs.
Previously, it was common for individuals in those positions to not have any background or training in information security. Oftentimes these individuals may already be wearing multiple hats, and security was just another one added into the mix.
“More organizations are at least considering making this full time. That’s not to say there’s no risk, but it’s getting better.”