The greatest threat comes from within
Sometimes it is easy to forget that the greatest threat is from within. In today’s focus on cyber-security world, we tend to focus on keeping people out of our network as a primary method to keep our sensitive data, such as ePHI, safe. While that is incredibly important, we should make sure not to overlook the threat posed by those we do grant access. How much of a threat is it? Well, roughly half of all attacks originate from inside the company - and not all are with malicious intent.
Part of the problem is we leave the door open, so to speak. While we are spending time and effort to keep people from the outside out, we are leaving the door open for people on the inside to take what they want.
Think about this…
An employee with access to ePHI decides they want to work over night or on the weekend. That is pretty admirable, in itself. However, that employee decides to send the data via Gmail or another cloud/web based tool to make it available on his/her home computer. Now you have a serious problem. As most of you probably know, the cloud has a habit of being hacked and compromised by targeted attacks.
Now imagine an employee who wants to intentionally steal information! They have abundant options to smuggle information out. In addition to cloud/web apps, they can use USB drives, smart phones with cameras, etc.
While you can’t possibly stop everything, there are simple things that can be done to ensure that your data is safe, from both external threats and internal threats. There is generally zero reason for employees to have access to Gmail, Yahoo, Facebook, Pastebin, etc. from within your organization. And outside of a very few exceptions, there should be no ability to use USB drives. The great thing is that all these channels can be blocked fairly easily and with little cost.
Employees will complain about losing access to popular social websites, but it will be much easier to explain these constraints to your employees than to explain a breach to the government, your patients, and the Board.
Ask your IT service provider if they've taken steps to minimize information "leakage" by internal system users. If they aren't sure or have questions about what you mean, contact Third Rock to schedule a risk assessment.
info@ThirdRock.com | 512-310-0020