Every day, it seems, another security threat is in the news. The latest one involves some flaws in Intel chips that actually introduce a new vulnerability. The patches are out to address this, and hopefully, someone in your IT organization is tracking and applying them. But this is only one of the many ways your company can be vulnerable to cyber-criminals.
Good Security Is Proactive
Patches have to be applied. That’s good. But it’s also reactive. Doing whatever the news of the day tells you to do in regards to security is not a security plan. So, what is? And what does a good plan look like? Proactive security measures address every potential threat.
The biggest risk to security, by far, is human actors. These include your own employees and bad actors outside the organization. Humans, as the story of former White House Chief of Staff, John Podesta’s hacked email shows, make mistakes. To review, Podesta got an email he found suspicious, asking him to change his Gmail password. He sent a memo to his IT department. The IT staffer involved meant to tell him it was suspicious but made a typo in his reply email and told him it was okay. So, Podesta went ahead and click on the link exposing his database to Russian hackers. What went wrong here?
There are lots of things, but the most fundamental of them is that if security is a real concern, one does not use a free, public email service for email. Whatever else was in place, this episode shows that the DNC’s approach to security was flawed at the most fundamental level. People working at the White House should not use free, public services for sensitive email. It is a safe bet that, if you examine your organization’s security posture closely, there is at least one such facepalm moment lurking somewhere.
People do stupid things. One of the jobs of IT security professionals is to anticipate those things and make sure they don’t happen. Moving from passwords, which can be insecurely stored, to biometric identifiers, is one way to do this. People can’t easily steal your fingerprints or iris.
Portable devices are another issue. Having 24/7 access to a business device is great. But is it necessary? Laptops and smartphones are eminently losable. Ask whether every employee who has remote access needs it. Make sure you can remotely erase your company data from their device if it is lost or stolen.
The boundaries between work and non-work life grow ever thinner. There is no need to deny employees access to personal email. But on the company email server? Have them take personal mail to a browser-based service. Keep work and personal accounts firmly separated. This is a basic step that every company could and should be doing.
Auditing (Gently) The Vendors
There are good reasons to outsource many IT functions. Day-to-day operations rarely require high level IT expertise. It can easily be obtained from IT consultants and managed outsource providers and used as needed. Moreover, using outsourced IT providers who have many clients allows your organization to take advantage of the mistakes that their other customers have made. Most IT professionals have seen and heard it all. Use of consultants is a very inexpensive means of knowledge transfer, far cheaper than developing the same experience with in-house techs.
Make sure the IT provider knows their stuff. You may find a few whose security is really no better than yours. This is where it’s so important to check the company out before hiring them. Check their feedback online. See what their customers are saying about them. Do they really know how to secure your data and records so that you don’t get hit with a ransomware virus? Will, they set up both onsite and offsite backups so you’re never without your data even if disaster strikes?
Needing To Know
Transparency is, in general, good. But when dealing with health information that is protected by regulations like HIPAA, less is more. That is, less access is better insurance against risk. No one should be deprived of the data they need to do their job. But with protected health information, no one without a need to know should have access. Coders may need to see the physician’s notes in order to properly bill for services rendered. Billers do not. All they have to do is charge for the codes that are given to them. They do not need access to clinical data.
These considerations are very basic. They require no esoteric knowledge. But thinking through them will help you arrive at your own conclusions about whether your data is really safe. Remember these basics:
- Be proactive about security.
- Never take lightly the human factor.
- Ensure third-party vendor security.
- Apply the “need to know” concept.
- Get help from a professional IT managed services provider if you still feel uneasy about your data’s security.