All This Data, All This Risk
We’ve talked a lot about data and information in this series, and in previous ones. But with collecting and storing data comes significant risk. Every day we hear about malware, hacks, ransom demands, phishing scams that can paralyze an organization and put sensitive data about clients and staff at risk. As demand for data grows – as payers demand more information about health and its social determinants to evaluate provider performance, consumer health status and risk factors, and generate metadata analyses for better prediction, as does the risk.
Data breaches are increasingly common and can have devastating effects. Organizations face risks related to their IT systems, which may (and, in fact, do) have vulnerabilities its users are not aware of. Tech solutions mitigate the risk, but security costs are often very high and none is foolproof. At the same time, each of us is connected to an ever-growing number of apps that require passwords – and the best passwords are complex, difficult to remember, and should be changed frequently. And that’s the part end users control.
Mitigating Data Security Risks at Behavioral Health Organizations
In addition to Protected Health Information (PHI) on its clients, many organizations also have vulnerable personal data about clients and staff, such as driver’s license and social security numbers, and some store credit card information; all are data that can be used for identity theft. Though many organizations carry – and should do so – cyber liability policies, these do not undo the potential harm (and cost) a breach can cause to clients, the staff, and the organization. Mitigating these risks is a complex endeavor that requires investment in system upgrades that promote security; but, if not more important, it requires engaging staff in detecting and deflecting potential hackers.
Approaches to Data Security
At ContinuumCloud’s September ACCELERATE Conference, attendees heard from Robert Greene, CIO at Aspire Health Partners, about creative approaches to engaging staff. One of the key points that I noted was that this is not a one-and-done endeavor. We may all have included security during the onboarding process, we may require staff to change passwords every few weeks or months, but neither is sufficient in today’s environment. Newer approaches include two-factor authentication and biometrics, and recently the technology that is emerging may move us away from passwords to better, less hackable ways to verify a user.
But for now, organizations must encourage staff to remain vigilant and engaged. Training is certainly important. Through it you can establish the why – how the vulnerability can play out and the importance of protecting the client, the staff, the data, and the organization. Policies should make clear that there are consequences for violating security policies (e.g., sharing a password, leaving data exposed or unsecured, prohibitions on bringing thumb drives or uploading apps on company equipment). Once trained, however, staff can become complacent – and the bad actors are increasingly clever about tricking even sophisticated and vigilant users.
Gamification as a Learning Tool
Among the recommendations Greene made are making training and awareness-building activities into games that challenge staff to identify risks and rate their perception of how safe their organization or department is. He had attendees engage in a Dungeons and Dragons style game where points were awarded based on a D&D die and the correctness of the answer. It was entertaining and made you think as well as learn from the correct answer and the not so correct answer. I liked this approach because it was engaging and the questions could be shaped for different types of staff and departments – from IT itself to end users at every level.
Another aid is sending phishing emails internally to test users’ vulnerability to emails that pretend to come from within the organization and then to work with those who fall for it on how they might have detected the ruse. While many email systems now help in this process, most hacks start with a user vulnerability and ruse. When this approach is first implemented, organizations find that a majority are fooled. With training and awareness provided in an engaging manner, the number can decline precipitously.
Data Security is Everyone’s Job
While many of us think that digital security is IT’s problem, in reality it falls to every member of an organization to protect the data and operation of the organization. While there are many aspects that do fall to IT in how the system is set up and the recovery mechanisms they establish, we humans as end users, are often a weak link. Organizations that engage staff in protective strategies will fare best in what is an increasingly challenging data security environment.