How to find the risks you might be missing.
Security cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .
When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such as
People may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when the staff is too busy with various assignments to look at the person walking out of the office with a server, company laptop, phone, etc.
Organizations may also think data thefts are large events that take months of planning, looking like something from those heist movies. (Oceans 11, anyone?) However, most data thieves use simpler plans.
The majority of physical data thefts take less than only minutes in planning and execution.
Malicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations. Here are some issues that your organization may not have considered.
See also: 5 Tips to Boost Your Business’s Physical Security
The main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes.
Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad.
This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.
See also: SecurityMetrics HIPAA Guide
See also: Balancing Mobile Convenience and PHI Security
You don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware.
Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.
Be suspicious of any unfamiliar hardware or device that randomly appears.
Often a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.
Receptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.
Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.
See also: Healthcare Reception Desks: Breeding Ground for HIPAA Compromise
Keeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.
Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.
Social engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.
But if the office door is locked, then the social engineer usually won’t bother.
Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).
Most of these risks can be prevented with little effort. Here are some suggestions:
See also: Common HIPAA Violations: HIPAA Quiz/HIPAA Test
Most social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.
It’s the greatest benefit from the littlest effort.
.svg)
