Security
§164.306(a): Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and (4) Ensure compliance with this subpart by its workforce.
Privacy
§164.530(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. (2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
So how can you help prevent data loss?
Besides having a full time staff member dedicated to security and compliance 100 percent of the time versus having the IT department do it when they have time. Make sure you provide continuous security awareness training that employees can relate to, make it personal. Show them how it not only protects the company but their banking and personal information wherever and whenever they use a computer.
Also make sure your governance framework is centralized and that you do continuous audits and risk assessments. Locate all critical data and monitor who is accessing it, when and where from.
DLP technologies can be helpful here. Foster a culture of openness and trust, a full time security role is your point of contact for all matters security and should be someone all employees trust with any and all security and privacy issues. Have auditors not only test your compliance but make sure it's risk based and employs threat modeling as well. Have your IT, security and compliance staff get certified and become active members of ISSA, ISACA, InfraGard and FHIMA. This will provide ongoing training and dialog with likeminded professionals facing the same challenges your organization faces.
Finally, regular PEN testing from a reputable PEN tester is worth every penny, pay the cost for a PEN tester today or suffer an unplanned loss totaling much more. Also have a PEN test done as often as possible.
Mark Wolfgang, CEO of Shorebreak Security, says you should have continuous PEN testing performed, not once a year only. Depending on your business and its data criticality you can have varied levels of PEN testing to fit your business model. Monthly, weekly or daily options are available and the cost varies with the testing frequency.
Pixabay
Pixabay
Pixabay
Pixabay Security and privacy is not an IT issue, it’s a serious business issue that must be championed by the CEO and executive leadership. We must continuously stress that all employees are responsible for security and privacy.
With the entire globe knocking (24x7) at your corporate internet door, everyone must step up to be gate keepers to protect our personal information, our company’s data and ultimately our jobs and our countries treasured freedom and assets. Remember we have to think of every possible and likely method of being compromised, while the thousands of hackers spread across the globe only need to choose one to get in.
Remember that compliance is static, legalistic and backward looking, while security is forward looking, dynamic and intelligent. Compliance is just the beginning of all the work we have to do.