Top 5 “To-Do List” Items for Protecting Healthcare Data

by Ben Goodman / 04 January 2014 / No Comments

If your organization deals with healthcare information (whether you’re a mobile health app developer, a dentist, doctor, chiropractor or other medical practice, a medical device manufacturer, or you provide hosting or support services to any of the above), you are the gate keeper to some very desirable information. As the recent Anthem Breach illustrates, bad actors are targeting healthcare organizations in a big way and no matter how big or small your organization, protecting your data and the information systems used to create, modify, store and transmit it has become a top priority.

While many companies are promoting advanced technological solutions to protect data, no amount of technology will protect organizations whose employees are untrained and unprepared to deal with this threat. Below is our Top 5 “To Do List” to get started protecting healthcare data. Of course this is just a start, but if you can accomplish this, you’re well on your way to securing your data and transforming your organization out of a hacker’s low-hanging fruit category.

Top 5 “To-Do List” Items for Protecting Healthcare Data

  1. Put Someone in Charge: HIPAA requires that you appoint a Security Officer and a Privacy Officer. In addition to checking the compliance box, giving someone in your organization the responsibility to protect your clients’ privacy, and the authority to do what is necessary to protect data.
    • Your Privacy Officer has to know that she may need to rock the boat to get the job done right. She should know that’s what she’s supposed to do and has the support of senior management.
  2. Know Your Risks: Start by answering these questions:
    • Do you know what data you have?
    • Who in your organization ‘owns’ it?
    • What data is sensitive and what’s not?
    • Where does it live?
    • What systems are used to create, access, modify and/or transmit it? Once you’ve answered these questions, conduct a Risk Assessment to identify the threats, vulnerabilities and actions you can take to protect your healthcare data.
    • The first thing HHS Office of Civil Rights (the HIPAA enforcers) will ask you for is your Risk Assessment. Make sure you have one and that it’s up to date.
  3. Establish Realistic and Effective Policies & Procedures: Document consistent guidelines your workforce can employ under various circumstances. Make sure your policies comply with applicable regulations and your procedures meet or exceed current industry standards of care.
    • Can you guess what is second on HHS OCR’s document request list? You got it! And once you’ve put them in place, you’ll see how useful they really are.
  4. Train Your People: The majority of data breaches could have been prevented with better training. And in most cases, the impact of a breach could have been reduced with better preparation. The best technology in the world won’t stop a breach if your people aren’t property trained. Don’t skimp on training!
    • Nearly all Advanced Persistent Threats (APTs) start with a Phishing email to your employees. Without employee training, these attacks are about 85% effective. Proper training combined with other tools can bring that number down to the low teens.
  5. Build the Right Team before a Data Breach Happens: Effective Cyber Risk Management requires experts from a range of disciplines including legal, technical, forensic, insurance and management. Having the right team in place will help protect your organization from a breach and help minimize the damage if something bad does happen.
    • The data consistently shows that well prepared organizations that can respond quickly with an interdisciplinary team of experienced professionals can significantly reduce the cost of a breach.

Attend our upcoming event at Drexel University Cyber Security Institute – Life Threatening Hacks: Mobile Health, Electronic Medical Records and Medical Device Data Security. The event is free but space is limited so please register here:


About the author:

Ben Goodman, CRISC is the founder of 4A Security, a firm that develops and implements tools for cyber risk analysis, information security and compliance. He has over 25 years of experience in information technology, technology strategy and risk management. 4A Security is dedicated to strengthening the cyber defenses and resiliency of US organizations, institutions and critical infrastructure.

Ben is the recipient of ISACA's CRISC Worldwide Achievement Award. (CRISC: Certified in Risk and Information Systems Control).

Ben is a member of the Casualty Actuarial Society’s Cyber Risk Task Force.

Ben is also a founding member of Drexel University’s Cyber Security Institute Advisory Board and a member of Drexel LeBow School of Business, Executive Education Faculty.