Why is Information Security So Important in Healthcare?

The goal of the healthcare industry has always been to provide quality patient care. To do so, healthcare organizations have invested in state-of-the-art technology and highly-educated personnel, but there’s still one thing that many in the healthcare industry have failed to do: invest in robust information security management programs. In fact, almost on a daily basis, there’s headline after headline reporting of new healthcare data breaches impacting the PHI of hundreds, and often times, millions of patients. This leads us to question: why would someone want to steal healthcare data? Why is it so important that the healthcare industry focuses on information security?

Why Would Someone Want to Steal Healthcare Data?

It’s understandable why a malicious hacker would want to steal financial data. After all, most malicious hackers are after some sort of financial gain. But there’s one critical issue with compromising financial data: card numbers, PINs, account information – it can all be easily changed. When it comes to protected health information (PHI), it’s long-term value makes healthcare data more enticing for malicious hackers to steal and is all the more reason why information security is so important in healthcare.

3 Reasons Why Information Security is So Important in Healthcare

1. The healthcare industry is highly regulated.

The healthcare industry is one of the most regulated industries in America. That’s why we see so many reported breaches in the media and on the OCR’s “wall of shame.” But even despite the HIPAA Security, Privacy, and Breach Notification requirements and various other state laws that require covered entities and business associate to protect PHI, there’s a serious lack of robust information security management programs. In order to provide quality patient care and meet HIPAA requirements, then, covered entities and business associates alike need to heavily invest in the security of their people, processes, and infrastructure as a whole.

2. The healthcare industry is highly dependent on new technologies.

From artificial hearts to mobile applications, the modern healthcare industry wouldn’t be what it is today without advancing technologies. However, as we all know, with new technology that is introduced into an environment, the attack surface increases, and new risks must be accounted for. This goes beyond technologies used in hospitals or other healthcare facilities – medical manufacturers must also take into account the cyber risks associated with their products. For example, something as simple and as medically necessary as an insulin pump, like that of Medtronic, can become vulnerable to a cyberattack and have detrimental effects on a patient’s well being.

3. The healthcare industry is highly reliant on humans.

Week after week, there are reports of data breaches impacting hundreds of healthcare patients, and many of these attacks are the result of human error, such as falling for phishing attempts. Because the healthcare industry relies on humans to provide quality patient care, the risk of experiencing a data breach or security incident becomes much more likely, which is why creating and implementing a robust information security management program must be made a top priority.

It is paramount that covered entities and business associates alike understand why information security is so important to the healthcare industry. To continue providing quality patient care, robust information security management programs must be established and maintained. Want to learn more about how your healthcare organization can meet HIPAA or HITRUST requirements? Need to see if your systems can stand up to an advanced penetration test? Ready to prove to your patients that you can deliver quality patient care? Contact us today.

More Healthcare Resources

Why Would a Healthcare Organization Need a SOC 2?

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

Business Associate Due Diligence: Lessons Learned from AMCA

5 Ways Business Associates and Covered Entities Can Prepare for HIPAA Compliance

Who Owns the Risk?

We find that managed service providers (MSPs) are often reluctant to take responsibility for the risks that they pose to clients. Their clients, though, may assume an MSP does take hold of a particular risk – and here lies the problem. When this type of miscommunication occurs, it leaves major gaps in organizations’ security posture. So…who owns the risk?

Shifting the Risk

When an organization engages with one or more MSPs, they must understand the concept of shared responsibility. MSPs and their customers must work together to meet security standards and expectations. Working with an MSP doesn’t remove the risk from the customer, it shifts it. Protecting systems like database servers, firewalls, switches, authentication services, and log servers means there is a distribution of risk between the MSP and the customer. As an MSP, you must clearly define what is within the scope of your responsibilities to your client. Customers do inherently accept some risk, but not all of it. You’re providing important, essential services – take that responsibility seriously. Your customers are putting their trust in your services. MSPs depend on trust. If a client can’t trust your services, why would they choose to use you?

Don’t fall into the trap of getting too comfortable with risk when you partner with an MSP.  As an organization engaging with one or more MSPs, you must remember that you cannot outsource your reputation. Your reputation will always be at risk – and your responsibility. It’s up to you to vet MSPs and hold them to a high standard.

Benefits of Owning Your Risk

Pursuing challenging compliance goals, especially before you’re required to, may seem like too much work, money, or time. We believe, though, that when an MSP proactively undergoes something like a SOC 2 audit, it demonstrates that they are invested in providing secure services and ensuring that their clients’ data remains protected. Achieving compliance objectives before your competitors or before you’re asked by a game-changing prospect prepares you to own your risk.

MSPs’ reputation, business continuity, competitive advantage, and branding all depend on the quality and security of their systems and can benefit from SOC 2 compliance.

Owning your risk…

  • Makes you aware of where your vulnerabilities are and how that impacts your clients
  • Gives you a direction for where to mitigate risk
  • Gives you a competitive edge, puts you above the rest
  • Protect your reputation
  • Eventually, makes you and your customers more secure

If you’re an MSP who is hesitant to undergo an information security audit, consider the implications of suffering a data breach or security incident. The negative implications are only to your reputation a ripple effect; once your customers’ information systems or data is exposed, you’re on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, prospects will stop inquiring about your services, and lawsuits and fines will begin to surface. The continuity of your business depends on securing your systems and proving that you are, in fact, a secure MSP.

Have questions about how to achieve compliance goals or start the compliance journey? Contact us today.

More Resources for MSPs

About Risk Assessments & Management

How Can a SOC 2 Bring Value to MSPs?

How to Accurately Define the Scope of an Information Security Assessment

Auditing Basics: Carve-Out vs. Inclusive Vendors

5 Information Security Considerations to Make Your Startup Successful

From Silicon Valley to Times Square, startups of all kinds are popping up all over the United States and beyond. It’s easy for the founders to put all of their resources into starting the business and taking it to market, but what happens when the data that fuels that startup is breached? What happens when an immature information security program causes that startup to fail?

What Makes a Startup Successful?

There’s a lot that goes into making a startup successful – a great idea, strong leaders, a solid business model, investors, and grit – but there’s even more that factors into scaling a startup. In fact, there’s one key component to making a startup successful that’s often neglected: a robust information security program. In today’s age, information security is one of the top concerns of organizations because they know that it’s only a matter of when, not if, a cybersecurity attack will affect their business. Unfortunately, not all startups recognize how pervasive the current threat landscape is, or they don’t even know where to begin with implementing an information security program. In order for a startup to be truly successful, there needs to be a robust information security program created from the start. What should it include? We believe that there’s five key considerations that organizations must keep in mind when creating their information security program.

1. Get Executives on Board with Information Security from the Start

We often discuss the importance of implementing a culture of compliance from the start of your business, and this is especially true for startups. Why? Because a startup is usually made up of very few members and often does not include IT personnel. This means that for startups, it’s even more important that executives understand and acknowledge the importance of implementing a robust information security program; they need to make it a shared responsibility to design business processes and systems with security controls in mind from the start.

2. Know Your Assets

The value of having a robust information security program comes down to protecting your organization’s valuable assets. For startups, this should really hit home. It’s hard enough getting a company off of the ground, so what would happen if six months into launching, a breach occurred or a physical device containing your company’s data was stolen? It’s happened before and it will happen again. Knowing what assets you have and how much they’re worth to you will help you risk-rank which assets need to protected first.

3. Implement Information Security Basics

Almost all organizations use some form of technology to carry out their business processes, and startups are no different. In fact, most startups have mobile or web applications that are just as likely to be hacked or targeted as Fortune 500 companies. That’s why startups need to implement information security basics, such as firewall configurations, network access controls, antivirus software, password policies, and MFA, to mitigate the risk of malware attacks, DDoS attacks, API disruption, and the plethora of other cybersecurity threats startups are faced with.

4. Educate Your Employees

Employees are often thought of as the weakest link at any organization. Because of the limited number of personnel at a startup, focusing on security awareness training might not seem necessary, but that couldn’t be further from the truth. Every single person working at your startup needs to know how they could unintentionally compromise your organization by falling for phishing attempts, using bad passwords, or just not following policies. Whether your startup has a team of two or thirty, investing in security awareness training from the beginning reinforces a culture of compliance and helps mitigate the risk of human error causing a security incident.

5. Establish Physical Security Controls

Another focal point startups must keep in mind is establishing physical security controls. Many times, startups work out of incubators or coworking spaces, but these environments might not always have the most secure physical security controls in place to keep their assets protected. Let’s say that a startup is based out of a coworking space – what physical controls are in place to protect your assets? Does the coworking space have security cameras? Do they have badges, key fobs/cards, biometric access controls, security guards, and/or receptionists? There’s no telling who could enter a coworking space and gain unauthorized access to your sensitive assets, so establishing physical security controls needs to be a top priority.

Malicious hackers don’t discriminate against startups. If there’s sensitive data to access, they’re going to find a way to get their hands on it. That’s why investing in a robust information security program from the start is so worthwhile: security incidents can cause outages in critical services and operations, ruin your reputation, and cause your business to fail before it even takes off. It’s every entrepreneur’s dream to see their business succeed – don’t let an immature information security program keep you from achieving that. As a firm that started out small, we know what it takes to grow a business and we’re dedicated to helping you do just that. Contact us today to learn more about how KirkpatrickPrice can help you implement a robust information security program for your startup.

More Resources

6 Information Security Basics Your Organization Needs to Implement

Getting Executives On Board with Information Security Needs

Getting the Most Out of Your Information Security and Cybersecurity Programs in 2019

Top 4 Information Security Concerns for Shared Working Spaces

From WeWork, Impact Hub, and Knotel to Serendipity Labs, Green Desk, and Techspace, coworking spaces are revolutionizing how people work. A shared working space, or a coworking space, is an environment that fosters collaboration by allowing companies and employees of all sizes and industries to share equipment, offices, and in some cases, ideas. These coworking spaces offer a variety of benefits including flexible leasing or membership options, more affordable working spaces, resources for start-ups, offices for conferences and meetings, the list goes on and on. It’s no surprise that remote employees, start-ups, and established enterprises have all begun to use these innovative shared working spaces. However, with coworking spaces at such a high demand, one must stop to ask: what are the information security concerns for shared working spaces? What potential risks do shared working spaces pose for the various clientele they serve? Let’s find out.

Top 4 Information Security Concerns for Shared Working Spaces

While the benefits of using coworking spaces are enticing, organizations must be aware of the information security concerns that shared working spaces pose to their security posture. When working in an environment that caters to a variety of organizations, industries, and clientele, businesses and coworking facilities must perform their due diligence to ensure that their organizations’ assets remain secure. So, how can this be done? We believe that organizations should review these top four information security concerns for shared working spaces before signing up for any type of membership.

Physical Security

Perhaps one of the top information security concerns for shared working spaces is physical security. With the number of members coming in and out of the coworking space each day, shared working space facilities must have processes for verifying the identify of members. This might be ID badges, key fobs/cards, biometric access controls, security guards, and/or receptionists. There should also be some type of video surveillance, monitoring, and logging so that if an unauthorized person gains access to the facility, there will be documentation.

Internet and Cybersecurity Policies

Another top information security concern for shared working spaces has to do with Internet and cybersecurity policies. Does the shared working space offer unique WiFi credentials for each user or company? How does the coworking space segment each member’s access to the Internet? A malicious hacker could easily purchase a day pass to a coworking space, hack the WiFi, gain access to members’ sensitive information, and breach the data of multiple organizations. If you’re going to work out of a shared working space, make sure that the organization has strict Internet and cybersecurity policies to keep you and your data protected from potential hacks.

Device Security

Depending on the type of membership one purchases, there are different concerns for device security. If a start-up purchases a monthly membership and plans to work out of the office every day, they might want to leave their equipment in the coworking space. This would call for greater security controls to be implemented in addition to the physical security controls mentioned above. In this case, the coworking facility would need to offer lockers or locked rooms to keep devices from being stolen. On the other hand, if a remote employee uses the coworking space on a day-to-day basis and has no need for leaving their devices overnight, there still needs to be device security controls in place to ensure that their device remains secure. What if a remote employee gets up to grab a coffee? What security measures are in place to ensure that the device left on the table isn’t compromised while they’re away from their desk?

Personnel Security

In a collaborative environment, it can be easy to overhear confidential conversations or shoulder surf, which is why it’s paramount that the coworking facility offers solutions to mitigate this. Let’s say that two competitors work out of the same shared working space. If one company overhears a product pitch and decides to copy the idea, that could be result in the demise of the other company. There needs to be conference rooms or secure locations where members can share ideas and hold confidential meetings without the risk of sensitive information being overheard and/or stolen. To mitigate the risk of shoulder surfing, on the other hand, each member should take their own precautions and utilize polarized screen shields and lock their screens whenever not in use.

The allure of coworking spaces doesn’t seem like it’s dying down anytime soon. If your organization is considering utilizing a coworking facility, make sure you perform your due diligence and ask questions about how the shared working space addresses these top four information security concerns. If they don’t have established and effective policies and procedures for physical, Internet, device, and personnel security, they aren’t a secure facility.

Interested in learning more about how you can stay protected when working in a shared working space? Contact us today.

More Assurance Services

Are Your Remote Employees Working Securely?

Remote vs. Onsite Assessments: What Do I Want?

5 Strategies to Keep You From Wasting Time on Security Questionnaires

Are Your Remote Employees Working Securely?

Employees are often considered an organization’s weakest link, but remote employees create additional risks that businesses must be cognizant of. As more and more businesses opt to hire remote employees, they need to prepare for and stay ahead of these risks. What would happen if a remote employee used public WiFi and a malicious hacker gaining access to your organization’s sensitive files? What would be the impact if your remote employee opened a phishing email because they weren’t trained properly? How would you handle a remote employee losing a company laptop? Having processes in place to train employees on remote security best practices is crucial for any organization’s security. Are your remote employees working securely?

5 Steps to Ensure Remote Worker Data Security

Implement Security Awareness Training

A key component of ensuring that remote security best practices are followed is implementing security awareness training. It’s so important, in fact, that many of the most common information security frameworks, such as SOC, PCI, and HIPAA, require some sort of security awareness training in order to comply. While you can ensure that employees are equipped with the most secure, up-to-date technology, if the people using that technology aren’t well-versed in the many threats they face while using them, those security measures won’t be as effective.

Establish Thorough Usage Policies

Whether it’s desktops, laptops, tablets, or smartphones, employees must have a clear and thorough understanding of how they should use personal or company devices. Do you have a BYOD policy? Are employees able to access work emails on personal devices or vice versa? What are you doing to monitor usage? For employees that are working remotely, establishing these thorough usage policies is especially paramount to ensure that an organization’s security posture remains intact.

Create Effective Password and Encryption Policies

Along with having thorough usage policies, organizations must create an effective password and encryption policies in the event that a mobile device is lost or stolen. Malicious hackers often capitalize on employees’ weak passwords to infiltrate organizations’ networks and can easily access sensitive information if the proper encryption techniques aren’t in place. Educate your remote employees on the dangers of weak passwords, using the same password on work and personal devices, and sharing passwords with others to prevent data breaches or security incidents.

Monitor Internet Connections

Monitor Internet Connections - Are Your Remote Employees Working Securely?Part of the allure of working remotely is just that: being able to work from anywhere. However, this poses major threats to an organization’s security posture. Remote employees are often notorious for falling into the trap of connecting to public or unsecured networks in airports, cafes, and other high-traffic public spaces. As part of the usage policies, organizations must have policies and procedures in place for monitoring internet connections of those working remotely. If your organization offers a BYOD policy, do you offer a reimbursement plan for employees who use their personal hotspot, or do you supply hotspots for your remote employees? Should remote employees use VPNs? If a remote employee is connecting to unsecured networks, they’re putting your organization at risk, and you need to know about it. Establishing monitoring policies and procedures will help keep you ahead of potential cyberattacks and ensure that employees are following remote security best practices.

Ensure Devices and Applications are Updated

For organizations that have many employees who are working remotely, it can be challenging to ensure that all of their devices and applications are updated with the latest antivirus, anti-malware, firewall, web filtering, and encryption needed to keep devices secure. Considering this, these organizations must make it a priority to review their processes for ensuring that devices and applications are updated regularly. Think of it this way: if just one employee misses or forgets to update their mobile device, an organization could experience catastrophic impacts, such as steep fines and penalties, lawsuits, loss of reputation, and/or loss of business.

Remote employees offer many benefits to organizations, but they also pose many threats. Whether employees are working remotely full time or just a few days a year, ask yourself: are your remote employees working securely? Don’t put your organization’s financial health, operations, and reputation on the line – implement these remote security best practices to safeguard your business from potential breaches caused by remote employees. Contact us today to learn about our policy and procedure development services, our security awareness training courses, and more.

More Resources

Top 5 Security Awareness Tips for Employees

5 Ways to Defend Your Business From Cyber Threats

3 Data Security & Privacy Best Practices for Your Employees

Who has the Legal Right to Employee Mobile Phones, Tablets, and Computers?