|Balancing patient data security
and convenient access is possible
Cybersecurity can be exhausting and difficult to control—even for IT pros. A security risk management executive at AbbVie Inc., discussed cybersecurity at the 2016 PDA/FDA Joint Regulatory Conference and offered some tips for how you can ramp up your organization’s IT security efforts.
Health sciences companies have an obligation to safeguard patient data; however, at the same time, companies need to allow patients convenient access to their information. When patients view their information from a variety of computers and mobile devices, it creates an information security tug-of-war. Robert Higgins, vice president, security risk management at AbbVie Inc., shared some insight about this issue at the PDA/FDA Joint Regulatory Conference held in Washington D.C. from Sept. 12-14.
Robert identified some of the top trends and risks associated with information security. “Cyberattacks are increasing and becoming more sophisticated,” he said. Unfortunately, cybercriminal attacks are only part of the problem because security risks can also be internal, which are more difficult to detect and prevent.
The following are some of the common external security risks:
- Ransomware is designed to encrypt files and then demand a ransom from the owner to recover (decrypt) the files. It can also permanently delete files from computers.
- Malware is designed to disrupt computer operation, gather sensitive information or gain access to private computer systems.
- Phishing occurs with emails that contain malicious links or files that attempt to steal information or infect computers.
Some of the common internal security risks include:
- Employees downloading sensitive information on a mobile storage device and taking it out of the building.
- Employees sharing login credentials.
- Employees opening files emailed from unknown senders.
Because cybersecurity is complex, costly and labor-intensive, Robert identified five areas that companies can focus on to address information security risks.
#1 Focus on what matters most.
It would be too costly and difficult logistically to employ the same security measures on every machine and component in your IT infrastructure. Therefore, identify the critical business assets that are most vulnerable to attacks and strengthen your security efforts in these areas. This likely includes intellectual property and your IT infrastructure components (servers, data, transfer protocols, etc.) used to store and transport sensitive patient and employee information.
#2 Measure, report and govern security processes.
It’s important to regularly measure and create reports on the key indicators of security vulnerabilities. This helps you catch issues before they escalate and become a costly security breach. Also, operate under the assumption that breaches will occur and continue to assess and improve the performance of your security measures.
#3 Align with existing information security and risk management standards.
#4 Make information security relevant to the business.
Your IT staff needs to have a conspicuous role in your business and operation strategies. Here are a few ways to make that happen: 1.) Invite people from IT to sit at the conference table where key business decisions are made so they can add valuable technology insight. 2.) Encourage system administrators to map critical assets across business and operational systems, as well as third parties—keep this map current and visible. 3.) Try not to delay or restrict newer technologies. Many CPU and system technology upgrades include functionality that addresses the latest security risks.
#5 Implement companywide security awareness policies.
Make security everyone’s responsibility with clear policies that keep security on everyone’s mind. These should include policies about sharing passwords, opening or forwarding emails from unknown senders, clicking on suspicious links, using portable storage devices, etc. Let your security measures drive your compliance efforts instead of the other way around.
These tips can’t guarantee that your IT infrastructure and sensitive data will be impenetrable. They are intended to narrow the areas of focus for your IT security efforts to make them more manageable. The investment of time and resources to cybersecurity is a lot less than the cost of recovering from a security breach.
What security challenges cause you to lose sleep? Please comment below.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.