The Wall Street Journal revealed last week several New York area nursing homes were at risk of data breaches based on private information made public online.
Spanning both residential and health care information technology, senior living providers face even more risk than other institutions by the nature of the data they collect and store.
We spoke with data security expert Mark Rasch, chief privacy officer for SAIC, for his take on protective measures to take against data breaches and what to do if such a breach takes place.
Here are four ways to make sure your community’s data is protected and that you’re taking the right steps to avoid unscrupulous hackers.
1. Create a data map. Before addressing the question of protecting data, it’s important to identify what data your company stores, where it’s coming from and where it is located. “Before you even get to encryption, first create a data map,” says Mark Rasch, chief privacy officer for SAIC. “Figure out what data you have, how it comes in and where it goes.” The data map should address residents’ use of data if they can access community wi-fi, as well as who owns the data, how it is configured, outsourced and processed.
2. Identify the most critical data. Play the “what if” game, Rasch says. What if your data were to be exposed? What if the network goes down? What if hackers gained access to it? Identify the data that is most crucial in developing a plan for protecting it.
3. Figure out your risks. Identify where your vulnerabilities lie. These are most often found in misconfigurations, lack of contractual agreements with third parties, failure to monitor information, failure to audit it or respond to it, Rasch says. This might also come in the form of lack of malware, lack of antivirus plans and policies, and lack of training or awareness. “Most nursing homes don’t have this,” he says. “Data protection isn’t a priority.”
4. Develop an incident response plan. As part of the overall plan, an incident response plan should be scripted to include fixing and repairing data compromises, whom to call if a problem arises. It should include public relations, legal, and possibly Department of Health and Human Services notification plans, if they apply, as well as notifying customers and how that notification will take place.
“The elderly are targets for fraud all the time,” Rasch says. “Health care providers are targets because they are low hanging fruit in terms of securing their own networks. By and large, people trying to steal health care data aren’t looking for health care data. They’re looking for names and addresses so they can get credit in the names of those residents.”
Written by Elizabeth Ecker