By Mac McMillan | Advance for Health Information Professionals
CynergisTek CEO, Mac McMillan recently wrote an article for Advanced for Health Information Professionals titled, “When Important Assets Go Missing” that reviews what is truly at stake and how to handle such an incident. McMillan looks at the common epidemic of an employee losing or having a device stolen that attributes to more than 40% of reportable breaches.
Everyone knows that the increasing number of mobile devices and the consumerization of IT in the enterprise creates endless security challenges. Now traditional strategies such as relying on user ID and passwords no longer provide the same amount of protection as they did when devices and network access were confined within the four walls of an organization. It is time to change the way we think. McMillan says, “We need to rethink how we deploy information assets and how we make information available.” The first step is to consider how/where sensitive data is present and permit access to it. We need better data management. McMillan suggests, “using techniques like properly segmenting critical assists, virtualizing workstations or mobile devices, employing data loss prevention technologies or encrypting assets.” Mobile devices will only continue to saturate healthcare organizations, as users want ubiquitous access to information.
Next, McMillan looks at what to do when one of those crucial devices is stolen or lost and provides a guidance list:
- Asset Accountability: Keep inventory on devices that have ePHI, consider tracking software, tag devices and be prepared to know what law enforcement personnel will need to assist in locating/recovering the device.
- Physical Protections: There are several great physical security controls. Use locks on Computer on Wheels, desktops and laptops. Also, tagging helps manage the audit trail when a device goes missing.
- Training: Provide relevant training based on what employees do to help them change their behavior. It is one of the most crucial steps in mitigating security risks and is one of the best defense mechanisms to prevent incidents.
- Maintain Custody: Very simple -never leave your mobile devices unattended. Be very wary of use in highly public places, e.g. airport, train stations, hotel lobbies.
- Encrypt Data: Also a very simple one. Mobile devices should always be encrypted. It also helps achieve Safe Harbor and avoid costly notifications for indecipherable data that is lost.
- Recovery: have contingency plans in place and record serial numbers in a safe place.
- Risk Analysis: identify and quantify enterprise threats and risks of devices. When data is comprised determine if there is a low probability, notifications are not necessary. When assessing the probability, McMillan suggests to ask the following questions and document the risk analysis process:
- What was the nature and extent of the information involved?
- Who received the information or to whom was the impermissible disclosure made?
- What did they do with the information?
- What mitigating factors existed at the time of the breach?
Protecting your assets is crucial to your security program. You need to keep any information assets accountable, have physical controls in place for the devices, have technical controls in place to defend your sensitive data from compromise, and have controls in place that can help if a device is lost or stolen. With the high costs of a breach, it is important to secure your assets.
Click here to visit Advance for Health Information Professionals website and read the entire article.