Last month we looked at the growing problem of ransomware and the potentially devastating impact it can have on systems, patient information and the entire operations of your facility. Ransomware is just one of many security issues that every facility needs to be concerned with and take steps to prevent. The list of security concerns includes physical security, social engineering, phishing, social media, mobile devices, access to patient records, malicious software and more.
Security is an enterprise-wide issue that concerns and requires the cooperation of everyone in your facility. No amount of automation can prevent every possible security breach. Education and awareness are key components of any security plan.
It starts with Physical Security. Every staff member is responsible to secure their own environment and report physical security violations throughout the facility. This may include unsecured PHI documents and files, or unauthorized physical access to offices and rooms, patients, patient information, medical equipment, computer systems or files. Other areas of attention are unsecured mobile devices and access to medical devices. Staff and security staff must be diligent about access control, securing facility entrances and restricting access where sensitive materials or systems could be accessed.
Despite the best efforts of security staff to physically control access to sensitive parts of the facility, a single staff member can upend all of their efforts by allowing Tailgating. Tailgating is where employees hold or open a door for another individual out of politeness. This practice opens the possibility of access for an unauthorized individual to enter the facility. It’s important to build awareness and emphasize the consequences of these seemingly innocent actions.
Another important security area where staff need training and awareness is Social Engineering. Social Engineering is similar to a “con game”. An individual gains the confidence of a staff member with the intent to access information, systems or areas of your facility where they would normally not be permitted. This can develop in many different ways and hackers and con artists continuously look for new ways to exploit vulnerabilities in their social interaction with your staff. It could be something as simple as impersonating a member of the IT department calling another staff member on the phone to gain password access, or as complex as developing a relationship with one of your staff members with the intent of gaining unauthorized access to information, patients or the facility.
Proper email security requires ongoing awareness and diligence by staff members to recognize malicious emails that could expose information that allows access to computer systems to unauthorized individuals. Risks include emails that contain viruses, requests for personal and password information, requests for patient information, phishing and more. Phishing is an attempt to acquire sensitive information such as usernames, passwords, patient information, credit card details etc., often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Frequently links will be sent to websites that are setup to mimic the websites of targeted organizations. These websites can be visually indistinguishable from the authentic corporate website. Often, only close inspection of the web address and links can provide the information that identifies the website as a malicious fraud. Awareness, diligence and training represent the line of defense for these types of attacks.
Hackers and criminals view healthcare facilities as a lucrative information rich environment worth their time and effort to access. Healthcare facilities hold critical information about patients including health, financial and demographic information. In addition, a security breach can compromise the operations of your facility. Healthcare facility operations and staff have a responsibility to do everything in their power to prevent unauthorized access. Your staff is your first line of defense.