Open Minds is a top notch consulting firm in the health and human service space.
Last month, they published an excellent article in one of their newsletters "Preparing For A Cyberattack — In Four Steps".
Here is a summary of key points:
Cyberattacks — an attempt by hackers to damage, destroy, or hold hostage a computer network, system, or data—have come to health and human service organizations.
The field has become a prime target for hackers. Health care now has twice the number of cyberattacks per day compared to other industries.
You can’t necessarily prevent a cyberattack, but you can mitigate its effect with a few fundamental preventive measures. Here are those preventive measures:
Understand state-specific plans for protected health information (PHI)—Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates. Protecting this information is especially important and complicated because the federal government has rules, and each state have its own set of rules (including privacy regulations) that control access and security for PHI. It’s mandatory to know what data in your possession and what rules are governing how you handle that data.
Conduct a data risk assessment This assessment helps you identify at-risk, sensitive, or classified data, and the level of risk that it may be attacked, hacked, or breached. If you can’t provide a succinct answer to the question, “How vulnerable are you to data breaches” then chances are you are extremely susceptible. Running a risk assessment means assessing all your technology (hardware and software), your organizational processes for managing data, and reviewing the staff protocols and training for those who will use and have access to the data.
Build a data security strategy A data security strategy is your plan (including procedures, policies and protocols) for how you will protect your data from being compromised, breached, hacked, or held for ransom in any way. Provider organizations need both a strategy and an action plan to leverage the security potential of data encryption, standardized processes for authentication of user identification, defined policies about appropriate data access, and regularly scheduled audits of the databases. Once you have the tools, getting the processes in place will also mean training staff to use and protect your secure system.
Develop a data breach response plan A response plan is the approach organizations take to address and manage the aftermath of a cyberattack. It’s best to have a plan, including how to stop the hacking and report the incident. Having a slow response to either of those things will only compound the problem (and possible the financial repercussions with the feds). Your data breach response plan needs a leader, a team with clearly defined goals during the hack, and an incident response plan to guide the team through response protocols.
As always, if you do not have cybersecurity expertise in house, it pays to hire a pro.