Last year, I received a letter in the mail from my insurance provider stating,
“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”
Healthcare organizations are commonly targeted for hacking and security breaches, not just externally as in Anthem’s case, but internally as well.
From 2005 to the present, over 970 healthcare security breaches have been made public due to insider theft, physical loss and portable or stationary device theft.
When hospitals have security breaches, not only do they have to provide press releases revealing negligence; but also, they typically have to pay for free credit and identity protection services for affected individuals. Some healthcare companies have to go even further. For instance, when an employee of Bon Secours St. Francis Health System was found to have inappropriately accessed patient information, the organization had to provide additional employee training, terminate employees, and even involve law enforcement, creating a lot of media coverage and bad press for the hospital.
Obviously, as healthcare marketing professionals we can’t be in charge of creating secure external networks for our clients, but we can advise them to take the following easy steps to help protect themselves from internal breaches and prevent the media nightmares that will ensue.
The best offense is a good defense.
Yes, that’s a clichéd metaphor, but it’s sound advice. Does your organization have protocols in place for leaving workstations unattended? Do those workstations require login after being inactive? Does your staff log out of patient files as soon as they’re finished with them? Are they careful with how their monitors are angled when looking at secure information?
Does your staff use secure passwords?
Password security in any organization should be a no brainer. And most people think, “My password is at least 8 characters with both letters and numbers, so I’m safe.” The truth is, it’s not that easy. I thought a lot of my passwords were safe. I used capital letters and numbers, yet many could be cracked by a computer in less than 3 hours. I was most confident about my banking password…that took just 1 minute to crack. To find out how quickly your password could be hacked, try this website: https://howsecureismypassword.net. The most secure passwords aren’t words but are phrases that use numbers and even symbols like MsPiggy<3Kermit. That password would take a computer 34 billion years to crack.
Passwords and login credentials should also be unique to each employee so that internal breaches can be traced.
If any employee leaves the organization, their credentials should IMMEDIATELY be deactivated. In 2014, a survey conducted by Intermedia found that about 89% of employees retained access to at least one login and password from a previous employer. It only takes one vindictive ex-employee to cause massive damage.
In an age where our entire lives are accessible electronically, these measures are vital to maintaining the integrity and reputation of an organization. Hopefully, these reminders will help minimize internal security breaches and the loss of reputation that they cause.