make a good business better

Blog Information Security

Print Divider Print Divider Branding

Healthcare IT Security and Your Employees

03/14/2017  |  By: Jason Riddle, CISSP, President, Information Security


Social Logo Social Logo Social Logo Social Logo

When you hear the term ‘healthcare IT security,’ most likely your mind goes to data and computers and all of the hackers and malware that are trying to corrupt networks across the globe, but don’t forget about the people. A large number of breaches are due to the mishandling of information by employees who are simply not paying attention. Think about your own company.

Have you been provided with strict guidelines about the following potentially vulnerable areas?

Mobile Devices: Laptops, Tablets and Cell Phones

If you carry your laptop back and forth to work, are you careful to store it where no one else has access to it? Are your kids doing homework on it? Is it encrypted?

If you’re enjoying a latte at your favorite coffee shop and you’re using a mobile device to log in to the server at work, you might be putting the entire network at risk. At the very least, you might be exposing the data you are accessing, since you are on an unprotected network.

At minimum, any mobile device used to access your network should have an access code (PIN) and should be encrypted.

Employee Work Habits

  • Desktop Security – Do you leave your desk unattended? If your screen doesn’t time out quickly, it’s up to you to lock your keyboard if you have access to patient records.
  • Paper Files – Has your business achieved the paperless office? If not, take care that printouts are shredded if they contain sensitive patient information.
  • Office Guests – Be cautioned against unscrupulous outsiders who might try to manipulate you in order to extract sensitive information. We tend to think of bad guys as presenting themselves in a malevolent way, but often times they can be quite charming. They are skilled at taking advantage of people—some of whom tend to trust everybody.

Internal IT Processes

  • Discarding Old Hardware – How does your organization discard old computers and printers? It’s the organization’s responsibility to know at all times where your data lives.
  • Password Setup – Your organization should provide guidance on how to develop passwords that are difficult to figure out. Better yet, let the IT department assign passwords to employees. That way they will be cryptic enough—and can be changed on a regular schedule.
  • Portable Workstations – In patient settings, workstations are often portable. They can roll from room to room, making occasional stops behind the nurses’ station. Who has access to these portable workstations when they’re unattended? Could other patients gain access? Could anyone who happens to walk by gain access?
  • File Permissions – Employees should only be granted the minimum amount of access to sensitive information they need to get their jobs done.
  • Employee Education – Believe it or not, employees need to be told not to click on links when they come from sources that are unclear. And pleas for money, social security numbers and sensitive information should never be opened. You might think this is common sense, but if it were, data thieves would stop sending them.

Healthcare IT security controls must take into account the human factor. This is particularly critical in a healthcare environment, where HIPAA/HITECH regulations mandate strict rules about how to protect your data. Your data protection strategy necessarily must go beyond the network to account for your people and how they handle sensitive information.

Patient data doesn’t just contain information about health. Many files include payment information, social security numbers and where the patient lives. Healthcare professionals throughout the entire organization are charged with protecting that data. Since we are all patients at some point, putting healthcare IT security measures in place is a prudent move for all of us.

Download our guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, to help ensure your team is handling your IT security properly. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.