It’s already that time of year again. Summer is coming to a close, and kids are getting ready to go back to school. To help everyone transition out of the dog days of summer and into the classroom, many schools offer students and families a “back to school” checklist. The list prescribes the text books and supplies needed for classes, as well as the medical exams students must complete before the school year begins.
I’ve noticed that the retail industry plays into the idea of a “back to school” checklist, too. Many retailers create their own list to assist shoppers with their school year preparations, and the stores benefit by encouraging shoppers to buy more than they need by including some items that aren’t as necessary as they are nice-to-have. I picked up one of these lists the other day when I was at my local office supply store, and it occurred to me that healthcare organizations could benefit from a checklist, too. A “back to school” security checklist could help healthcare organizations go into the fall with the confidence that they are prepared to tackle the security and compliance challenges they may face.
The following list is not a comprehensive security and compliance guide. We’ve covered some security need-to-haves, like point-to-point encryption and system awareness, in previous Security Corners. The list below highlights some “back to school” inspired items that will help your organization be better prepared for a successful and secure year.
Emergency Contact List
Students are required to give the school with a list of contacts that can be reached in case of emergency. Does your organization know who to call in case of a security breach? Keep a list of all of your security contacts and make it easily available to your security and incident response team. The list should be extensive and consider including the following internal and external contacts:
- Information Technology
- Network Operations – Internal
- Privacy Officer
- Security Officer
- Human Resources
- Antivirus and Anti-Malware Vendors
- Data Centers/External Network Operations
- Telecommunication Providers/Internet Service Providers
- Law Enforcement – Local and FBI
If you do need to reach any of these contacts, how will they establish who you are when you call? Don’t assume they will immediately recognize you by your office number. Make sure you know what information they may request of you in advance so that you are ready to offer it even if part or all of your network is down.
Mobile Device Policy
As students return to school, most of them bring their mobile devices along with them. In a very short period of time, some of those students will be the healthcare providers working at your organization. As smartphone use continues to evolve into a way of life, the lines between personal phones and work phones are blurred. A recent report found that 70% of doctors are using mobile devices to share in-patient data and 28% of providers have patient data stored on their mobile device (Mobile Threat Intelligence Report).
While mobile usage in healthcare presents meaningful benefits to both providers and patients, it also opens the door to more security attacks, especially with employee-owned devices. With so many providers using smartphones to manage patient data, there is a serious threat to the security of that data if a doctor’s smartphone were to get hacked.
Keeping this in mind, healthcare organizations should establish a mobile device policy to mitigate security risks while still embracing the benefits of mobile health. First, if providers are using their own devices for work purposes, determine the guidelines for what kind of information can be stored and shared. If your organization decides to permit the sharing of patient data, you should establish a password and encryption policy that applies to these mobile devices. Finally, consider a mobile device management tool to help your organization protect and manage the security of multiple devices in a scalable way.
“Study Abroad” Program
This semester, many college-aged students will be taking their studies outside of the classroom. Healthcare organizations can take the same approach to security and compliance training. Offer your staff the ability to take training courses online to help educate them about your security policies, procedures and best practices. By offering greater and more flexible access to training, you can improve the awareness and preparedness of your staff to better ensure the security of your organization.
As students prepare for a new school year, healthcare organizations can take a similar fresh-start approach to evaluating their security and compliance preparedness, as well as consider new policies and solutions.