The United States Department of Homeland Security started National Cybersecurity Awareness Month (NCSAM) in October 2004. Now in its 17th year, we embrace the awareness that NCSAM has generated in protecting health information.
In recognition of NCSAM, we will share 30 Tips in 30 Days. It is our goal to keep you informed daily with helpful tips on cybersecurity and increase your awareness in protecting a patient’s health information.
As you know, eHealth Technologies’ Privacy and Security teams deliver monthly training – everyone should know Think Before You Click! Check out Tip #1 below!
30 Tips in 30 Days Tip #1: Start Building A Solid Cyber Program
Organizations collect and track a lot of sensitive information regarding their customers, staff and operations, including:
- Health information
- Social security numbers
- Employee and volunteer records
- Billing information
- Intellectual property
With cybercrime on the rise during COVID-19, no one can afford to not make cybersecurity a top priority.
Steps you can take:
Establish a culture of security awareness: Establishing an internal culture of security awareness is the responsibility of an organization’s leadership. Too often, organizations put the responsibility on IT. To get started, you can explore and enroll employees in a cybersecurity and privacy awareness program.
Inventory your data and systems: You can’t protect what you don’t know about. It’s important to have a complete list of all the different data you collect and systems you use. The easiest way to do this is by using a simple template. Review this inventory with stakeholders around the business and make sure you’ve found where all the important information is stored. And don’t forget what gets scanned and printed. Those devices have storage and need to be inventoried too.
Assess your controls: Next, you’ll need to assess your organization’s controls to safeguard the data and potential risk to the data should it ever be compromised. This can be done in-house but is normally best left to a trusted cybersecurity partner. A trusted vendor with specialization in your industry will be able to produce a report that not only showcases where your organization is most vulnerable but also offers practical and prioritized recommendations to help your organization without you needing a tech jargon dictionary next to your desk.
Implement your plan: Now it’s time to put the plan into action and remediate the findings from the report. Remember, this is a continual process and not just a single event. It’s possible some of the recommendations can be performed in-house, and, where applicable, it’s a great idea to do so. You’ll have to keep in mind adding the responsibility of remediating these findings may not have been on your staff’s current list of responsibilities or in their skillset. It may be beneficial to seek outside guidance or even outsource the remediation altogether.
If you have questions on the privacy and security of health information, please contact Michael Sciortino, Esq.