The only way to do that is to conduct a comprehensive risk assessment that takes a hard look at your organization, sizes up its attack surface, and identifies vulnerabilities, many of which you may not even be aware exist.

A comprehensive risk assessment, Andrew Hicks of Coalfire says, must probe into “every channel, every person, and all systems that interact with the ePHI data.” A requirement of security, he explains, is “knowing where the data is and how it
is accessed, how it flows through your systems.”

So an integral part of the risk assessment is the process of discovery. As has often happened with an IT team focused on their own goals, the business might be engaging in activity that the IT team doesn’t know about.

“ When you look at the HIPAA rule, it says that you’re going to protect the health information from all reasonably identified threats. The starting point to
doing that is a risk assessment.”

“ A risk assessment should entail every channel, every person, all systems that are
interacting with your ePHI data.”

By hiring a team of IT experts who can continually locate vulnerabilities, you can keep your infrastructure and data out of the reach of dedicated cybercriminals. An organization will also need to undergo risk assessments under HIPAA regulations. It’s recommended that the assessments be subjective and conducted on a regular basis.

The current statistics report that a large percentage of data breaches come from inside an organization through unintended employee mistakes, such as mishandling data.

Biggest threats to data security: employee negligence
69%>> Employee behavior (a combination of mistakes, lax access controls, and malicious activity)
39%>>Unintended mistakes by internal staff (making this the leading overall cause of data breaches)

Tips for Prevention
• Training has to be at the heart of any risk management endeavor, and it must be an ongoing process. By providing ongoing training in security and risk mitigation
measures, you’ll send the message that you take security seriously. Empowering all staff to play a part in helping an organization be more secure is about building a culture of security in which
everyone understands the risks and how to help mitigate those risks.
• Give staff an awareness of the threats out there and some hands-on training so that they know how to react to different scenarios. People should be made aware that confidential information attached to an email can end up with the wrong recipient and that passwords should be strong and
not easy to break.
• Take a hard look at how you’re allowing data to be handled and identify ways to mitigate the unintentional (or malicious and intentional) mishandling of data. For example, setting a limit on how much data can be exfiltrated at one time can help control where the data is going and why.

Check back tomorrow as we continue to discuss this topic in depth.