Brown: Keep your digital data safe — and HIPAA compliant

Learn the nuts and bolts of cybersecurity for seniors housing operators

By F. Alex Brown

Over the last 10 years we have seen a significant increase towards IT security and the focus on protecting technology data resources. As we continue to hear about security vulnerabilities and data breaches, companies are continuously working to establish solutions to address potential threats to their data. 

Technical control guidance and IT control framework standards have evolved to provide a baseline for organizations to model a planned approach in the development and implementation of IT controls.

In February 2014, the National Institute of Standards and Technology (NIST) released its final version of a cybersecurity framework for improving critical infrastructure controls as directed under the President’s Executive Order 13636 — Improving Critical Infrastructure Cybersecurity. 

In January 2013, The Department of Health and Human Services (HHS) finalized the HIPAA (Health Insurance Portability and Accountability Act) final rule. 

These rules are just two examples of the growing focus on security and related compliance laws and regulations within the last five years that health organizations must consider in managing and protecting data and IT systems.

But what are some key areas that seniors housing organizations — especially those with a health care element — should focus on when considering security within their company? 

It is important that each company consider its own security resources and environment in developing a strategic security plan.

Manage mobile devices

The use of mobile devices and tablet technology within the health industry, especially within the assisted living sector, has exponentially increased in the last five years. Mobile technology offers flexibility and convenient access to patient records and company applications.

However, with this flexibility comes increased risk to organizations. 

How is data secured on the device? Is data encrypted during the transmission of information? Does the company have a policy for the use of mobile devices that are connected to company applications and the overall protection of data? 

The adoption of mobile technology will continue. Companies should have a solid strategy in the management and use of mobile devices.

- Establish a strong mobile device policy. Mobile policies should cover the use and management of the device, reporting requirements if the device is stolen or lost, and security password requirements.

- Review and understand the capabilities for encrypting data. This is especially important for those companies that must comply with HIPAA Security Rule Standard for Data Encryption.

- Establish controls for the management of applications. There are thousands of applications on the market today. Unfortunately, not all of them are safe. An increasing number of malicious code and malware scripts are packaged as a mobile app utility that is proposed to provide some benefit. Background scripts can run without the awareness of the user and thereby compromise organizational data or system access. Consider limiting the installation of applications to protect your company’s data.

Keep your passwords strong

Although this seems so basic, it is one of the more frequent areas that organizations fail to establish. Strong passwords can significantly reduce, or at least slow down, the frequency of successful breaches to organizational data. Consider the table at the top of the next column.  

A large percentage of IT systems and data are compromised due to weak or ineffective passwords. It is important for companies define a password policy and adopt the settings into IT applications and systems. When researching new technology, it is important the companies understand the security capabilities of security settings, including passwords.

There are gaps in the cloud

Cloud-based services are an area where a lot of companies have not clearly defined a strategy for security. There may be a clear vision and understanding of a vendor’s base service, but in many instances security is not a defined part of the service or product. 

A number of vendors have solutions that implement cloud-based strategies into their products. As a part of the business model, companies are usually presented with benefits and flexibility of the service. 

However, another layer of understanding should accompany the questions of pricing and implementation factors. This layer would include a series of questions regarding the protection and storage of data.

Below are some questions to define and build this understanding:

n Where will my data be housed? Understand the physical location of where your company’s data will be maintained.

- Will my data be stored on a shared spaced that could compromise the integrity of my business? For example, will company data be stored on a shared location with an adult website?

- Can my data travel and be maintained outside of the U.S.?

- Does the cloud vendor secure the services of a third party to test and report on IT controls implemented by vendor management?

Maintain strong policies

Security policies and procedures provide overall structure to a company’s IT administration and management. Without a strong policy framework, activities, procedures and even decisions can be made that are not in line with the mission and strategic goals of the organization. 

Company policies should provide a framework of the overall purpose of IT activities and procedures performed. In addition, policies should provide a basis of how the company actively manages its IT resources. 

Imagine a policy is not in place to define the requirements for purchasing new computers and hardware. Can I build my own computer and sell it to the company? Can I buy devices that do not fit or meet our company’s security standards? These are critical topics to consider.

A frequent topic that comes up with many companies is identifying and defining what policy topics to consider for the organization. The key to understanding what and how security policies should be adopted is based on the current IT resources and strategies of the company. Smaller companies may not need a policy structure as big as a larger organization. However, it should be tailored to support and define the goals and resources of the organization.

Security threats will continue to evolve and grow going forward. In addition, companies will continue to strategically address and ensure the protection of IT resources. Understanding and identifying IT risk area and vulnerabilities should be the first step in addressing security vulnerabilities. 

The ideas identified above should help identify potential areas that management may need to strengthen, but companies should undertake an IT risk assessment in order to obtain a full understanding of the company’s vulnerability and risk landscape.

F. Alex Brown is senior manager of information technology consulting for Plante Moran. He has over 16 years of information technology audit, technology regulatory control compliance, and system integration project experience.  

More News