Figuring out how to avoid a security breach can be overwhelming. There are hundreds of ways that hackers, patients, and employees can steal data if they want, and most organizations don’t have the time or money to try to address all of them.
Luckily, we can learn from the mistakes of others!
“You must learn from the mistakes of others. You can’t possibly live long enough to make them all yourself.”
In 2015, Verizon published a fantastic report called the “2015 Protected Health Information Data Breach Report.” It’s 34 pages of cyber security goodness, analyzing 1,931 security breaches that involved healthcare, medical records, and patient information.
Based on this report, here are the 5 common mistakes companies make that lead to security breaches:
1. No encryption = Security Breach.
When you encrypt your hard drive, it makes it nearly impossible for someone to get into your machine if it’s lost or stolen. Also, if you lose a machine that’s encrypted, it’s a lot less likely that you’ll need to disclose a security breach.
The best part — modern operating systems make encryption free.
If you’re using a Mac, it’s as simple as turning on FileVault.
On Windows, all you have to do is turn on BitLocker.
2. No laptop security training.
Think back. When you got your laptop, did anyone teach you the right way to keep it safe?
I bet they didn’t. But they should.
For example, did you know that a car is the most common place that laptops get stolen?
Or how about those black computer cases that everyone uses — they pretty much scream “I’m a laptop, steal me!”
Train your team (and yourself) on the proper ways to protect their laptops both in and away from the office to lower your risks of a security breach.
3. No Clean Desk Policy
You have to turn to another Verizon report for this one (the full 65-page Verizon “2015 Data Breach Investigations Report“), but surprisingly “…most of the theft occurred within the victim’s work area (55% of incidents).”
Whether it’s patients picking something up as they walk out the door, co-workers who steal information off a printer, or a smash and grab robbery, spend the time figuring out where you might be exposed.
One of the simplest ways to protect yourself is to implement a clean desk policy. It’s very easy to see if papers or USB sticks are left out accidentally if desks are clean and printers are clear.
Here, take a look. I have a hard drive with a backup of 10,000 patient records sitting on my desk. You’re walking by my office. Can you see it?
It’s in there, I promise.
No? Well how about now?
(No actual patient records were harmed in the production of this article.)
This takes discipline (like any new habit), but trust me, it’s worth avoiding a security breach.
4. Not using unique passwords.
Most people use the same password for everything. Or maybe they’ll use two or three different passwords.
Let me say this in no uncertain terms — if you do this, and I get my hands on your password, I OWN YOU.
- I can transfer money out of your online banking account (like this company that lost $1.5 million)
- I can take over your Facebook account.
- I can log into your electronic health records, and take a copy.
- I can shut down your business.
“But I’m a small business,” you say. “No hacker is going to come after me to get my password.”
This was true in 1998. Not today. Passwords are stolen every day, most commonly through data breaches. Ever use Forbes? Adobe? Snapchat? Yahoo? Domino’s Pizza? Then someone else has your password. And cyber criminals have sophisticated operations that are working hard to get more and more passwords.
You can make it harder for them by doing one simple thing — use a password manager.
Whichever one you choose, you only have to remember a single password, and then the password manager will keep track of all of your strong, unique passwords across all of your websites. They’re super easy to use, and make life easier while also lowering your risk of security breach.
Mat Honan at Wired tells a great story about how absolutely messed up things were for him after being hacked. And it wasn’t even his business accounts.
5. Security breach via employee misuse.
A full 20% of the security incidents were due to “privilege misuse.” People have legitimate access (think employees and patients), and then misuse it. If you’re lucky, it’ll just be someone doing a little casual snooping on their neighbor or on a celebrity. But it can also mean someone can steal records to sell on the black market or to commit medical identity theft.
This is a big topic, probably worthy of its own article, but here are some things you can do to get started:
- The best way to prevent misuse is to avoid it entirely. If your team doesn’t need access to sensitive information to do their job, don’t give it to them.
- “Data Loss Prevention” is a class of tools that are meant to stop data theft. They don’t work particularly well, and tend to frustrate employees by slowing them down, but we put together a list of Five Cheap Data Loss Prevention Tools in case you want to explore.
- Rafeeq Rehman at Verizon wrote a great article laying out the policies and systems companies should have in place to prevent security breaches through privilege misuse.
Yes, preventing security breaches can be an enormously complex problem to solve. But as Stephen Covey says in the 7 Habits of Highly Effective People, “Put First Things First.” Start by addressing these five highest priority, security breach-preventing tasks in your business, and you’ll be meaningfully safer!
P.S. – no, Verizon is not paying us in any way for this article. We just really love their reports.
Still feeling a bit overwhelmed?
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Talk to us!
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!