By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Not a day can go by without the importance of security being underscored as the means by which privacy can be maintained. Data breaches continue to be disclosed daily, if not more frequently, HIPAA settlements are coming fast and furious as 2020 goes on, and outside threats are always rising.
If security is a necessity, then how should it be promoted and implemented? Effective security involves developing synergies among individuals, technology, and processes. None of those factors can be effective in isolation, nor can any individual factor succeed without the others going in the same direction.
Individuals
What is meant by individuals? Individuals includes all of the people actually working within an organization. Each and every person is important, not just people in certain roles such as information technology or frontline interactions with patients or data. A breakdown on any level can easily result in an exposure that opens the gates to all of a organization’s data.
If every person in an organization is important, how can that importance be conveyed and promoted? Education, training, and support are three of the key means of doing so. All of the activities goes to ensuring that individuals know what expectations are in place while providing those individuals with a clear foundation to work from. If knowledge of requirements does not exist, then it is unfair to find fault when an individual does not do what is expected.
If education and training are so essential, then care should be given to present information in an engaging way. Distributing the same boring slides every year or make an annual training an event of dread will likely breed an air of disinterest. Instead, if training can be engaging and tied directly into what the activities of each organization, then individuals can gain a deeper appreciation of why security is so important and also connect security efforts to actual operations within the organization. It is a movement from the abstract to the concrete, which is often cited as a means of enabling and enhancing learning.
Once education and training occur, ongoing support is the next critical component. Questions should always arise, especially at unexpected times. In recognition that queries will come in, a team that is ready to help out becomes essential. If a goal is to promote awareness, then concerns cannot just disappear into the ether. Demonstrating attention to concerns will also feed into the understanding that the organization works together with its people and wants to promote an atmosphere of taking the right action.
Procedures
Putting appropriate procedures into place is another component of setting individuals up to succeed. The referenced education and training must inform individuals about something. Beyond detailing regulatory requirements (think HIPAA in healthcare), the other piece of education is what the organization does to protect privacy and security. The “what” is in reality the policies and procedures. Many policies and procedures will be driven by regulations, but others can reflect standard operating procedures and other processes unique to a particular organization.
Regardless of the underlying reason or basis for a particular procedure, it is important to be considerate in the preparation and enforcement of the policy. Taking a cookie cutter approach by downloading a form off the internet is not likely to lead to success or adherence. Additionally, even taking the time to tailor a policy, but then sticking it on the shelf never to look at it again also does not represent a good approach.
An approach that is more likely to succeed will evaluate an organization’s operations, identify specific risk factors, and then build policies around the identified needs and issues. While identification of unique needs does not preclude generic procedures for some aspects, blending in the more carefully drafted procedures should enhance the opportunity for success in terms of promoting overall security.
The other factor for positive procedures is to view procedures (and policies) as continually evolving. If a procedure is permitted to remain static then it will quickly be left behind and could actually create unnecessary exposure for the organization. Instead, revisiting procedures as the world changes is absolutely necessary. A good plan one year (or potentially even one day) can be surpassed when a new threat emerges. Paying attention to new threats and changes to old ones can also create a feedback loop with education because new iterations of threats can provide new means of presenting information to keep people trained.
Technology
The growing sophistication and refinement of technology means it presents an opportunity to be a tool to ease individual burdens. Solutions incorporating machine learning style components can quickly scan vastly greater amounts of data than an individual could in a significantly longer period of time, which means analyses can be based upon a broader set of information, which in turn means giving more action items for individuals. Additionally, tools can also be implemented to almost go on a counter-offensive against attackers by creating layers or other barriers to intrusion.
The ability of a technology based tool to expand privacy and security efforts should not be lightly dismissed. The expansion of possibilities has occurred relatively quickly, which means many are playing catch up to a degree in appreciating the potential benefits.
However, care should be given before relying too much on technology. Sometimes a solution can be beneficial, but only if configured appropriately. Absent appropriate configuration, which best settings may not be the default, data could become exposed and problems exacerbated. Exposed S3 buckets on Amazon Web Services are a frequent example of this danger with many data breaches of exposed databases tracing back to security not being turned on because it was not the default. Technology can also promote speed in completing tasks, which speed can be dangerous as it may outpace the ability or opportunity to double check everything that is occurring. From this perspective, technology can enhance inherent complications, even unintentionally.
The Intersection
As the description of each issue demonstrates, promoting good security and privacy really takes attention to a number of interconnected and intersecting factors. Each feeds into the other and none can be viewed isolation. Ultimately, good practices require holistic attention to individuals, procedures, technology, and likely many more factors. None of that is to say maintaining privacy or security is easy, which it should not be because not many good things in life do come easily.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.