Best security practices to protect your HIPAA database
What are some of the best security practices organizations need to implement and what role does a UEM play in this?
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Feb 1, 2022
14 min read
It is natural for companies to collect data as part of their daily operations. With the substantial amount of data being collected and managed, businesses will always have to contend and anticipate the risk of data loss and misuse. Data privacy laws came into existence to address the need for businesses to seriously take up compliance and implement enough technical and administrative security controls to protect the information they collect on users.
You’ve spent a colossal amount of time building your business and customer base. Everything is going according to plan but then right out of the blue, your organization is suddenly under fire for a data breach. This was completely unforeseen and now you end up paying fines probably worth millions of dollars. How did this happen? You thought you did everything that was required to safeguard the data you were storing and managing at the time.
Before you scratch your head to get down to the root of this mess, remember privacy laws keep changing. Compliance is never static and it keeps changing as newer cybersecurity threats are detected. Regulators make changes to data privacy laws to combat these threats and expect businesses that fall under their purview to comply with them.
Keeping track with changes in data privacy laws can be difficult, extremely difficult if you are starting from scratch. If you have the mindset to have information security and data protection baked into the core of your processes and systems from the beginning, then complying with these laws shouldn’t be as overwhelming as it sounds.
Now, thinking from a purely business perspective, what are some of the long term benefits your company can get from complying with changes to data privacy laws? Here are a few:
A couple of years ago, the average IT admin only had to manage mobile devices and PCs within the workplace. The device management scape later grew to include laptops, desktops, IoT and rugged devices. UEM looks into the complete management of all these devices. They are designed with the best security practices in mind to help organizations consistently maintain the level of data protection they need to secure their assets inside and outside of their organization’s network. Let’s break down a few here.
Containerization helps to prevent the crossover of confidential business information into the personal space of the employee and vice versa. Presently when employees are logging in remotely from their own personal devices, organizations should have the right security measures in place to ensure data security within those devices.
Containerization helps take care of that by creating a secure workspace on the device. This makes sure the organization only has access and control over the corporate space of the device. These containers can be secured by locking it down with passwords, limiting sensitive information from being copy pasted and restrict the sharing of files between the two spaces.
Phishing has always been a widely used tactic of cyberattackers and this has never failed to stop employees from falling victims to it. These attacks have improved to a point its becoming quite difficult to tell apart a cleverly disguised phishing mail from a genuine one. Web content filtering can help block access to websites that look suspicious or malicious.
Threats from an outside data breach can be reduced significantly as the filter can prevent employees from accessing websites that encourage them to download or save content that can prove to be harmful to your organization. It also helps save money on bandwidth usage as it restricts employees from using websites that takes up a lot of data for non-work-related purposes.
The pandemic makes it more challenging for organizations to ensure the security of sensitive corporate information and PII. With majority of your workforce working remotely, it cannot be easy to maintain the same level of data protection that was once enforced while working on site. Admins can tackle this herculean task by limiting access to only corporate approved networks and preconfigure the VPN, firewall and email settings to ensure data stays secure while in transit and at rest.
Encryption plays an important role in securing confidential information. It does so by converting the information into an unreadable format. You can level up the security of Windows and macOS devices by remotely enabling BitLocker and FileVault on them.
Geofencing is a virtual fence that admins can create to ensure sensitive data doesn’t stray far away from the confines of the organization, especially in the case of BYOD, CYOD and COPE business models. You can create a fence around your organization and remotely push policies to the devices that have the MDM profiles and are enrolled. Once these devices enter the fence, all the policies that you have defined, be they password policies or an app blacklisting policy, will immediately be enabled.
In this way employees won’t make any untoward changes to the device or app settings when they are within the scope defined by your organization. In case of personally owned devices, strong passwords can be set up on the container and restrictions can be made to ensure employees don’t access any work-related documents once outside of the company’s network.
One of the key things to ensure the protection of your devices is to set up a good strong password that is hard to crack. Although hackers are getting good at deciphering password at various levels of complexity, the key is to update them at periodic intervals. Try not to set up a too regularised pattern as it would be easy for hackers to guess when the time for the next password update is due.
You have all the devices enrolled and you have all the necessary policies pushed to it. Great, now how do you make sure that the devices stay compliant to the policies you’ve pushed? One of the biggest advantages of working alongside a UEM solution is that it saves admins a tremendous amount of work manually checking each managed device by having generated reports send right into their inbox. These reports give admins a detailed overview on compliance based on users, devices and applications.
Remember the notification you get on your device, reminding users it’s time to update their operating system? These notifications though annoying are useful because newer updates always come with security patches that protects the device from various cybersecurity threats. If your organization is running on an old server and you’re not sure the devices may be compatible to it, you could always schedule the update for another time.
Jailbroken or rooted devices give users complete admin privileges to the devices. This means giving them the freedom to bypass any restrictions your organization may have placed to keep the devices more secure. There’s also the issue of incompatibility – with the applications you deploy, software updates and loss of warranty. It is due to the presence of these threats that most UEMs don’t encourage the enrolling of jailbroken or rooted devices because the risks of having them onboard will simply be too high.
Create catalogs with all the applications approved by your organization to make sure employees have all the necessary tools on hand to get their work done. This dissuades employees from installing rogue apps of their own and gives your organisation the assurance that information does not fall into the hands of malicious users.
The blacklisting feature would come useful when you need to block applications that have been reported to have weak security. You can further manage the applications you deploy by remotely pushing upgrades and downgrades and predefining its permission and configuration settings.
Some of the benefits of locking down devices to operate in kiosk mode is that you can limit the number of applications and device functionalities you want on display. This keeps sensitive information safe and stops users from tampering with any of the restrictions you’ve set.
All is not lost when a device goes missing. If you’ve initiated a remote lock and wipe as soon as the user reports it missing and have implemented a strong password policy, the device will remain unusable to the person who finds it. You can even track the location of the lost device and enable lost mode to lock the device and display a customizable message with the owner’s name and contact information.
Policies on maintaining information security and data protection is always unique to the organization that implements it. It’s important that all requirements specific to your business and customers are properly documented within these policies. Bear in mind, any policies that you create should properly define the process in which data can be stored and handled both internally and externally by your organization.
Hire a team of employees with the proper amount of legal and compliance expertise to draft the policies. Once that’s done, make sure you upload the policies somewhere that is easily accessible by everyone within your company.
It’s good to have the policies reviewed at periodic intervals. Following old policies that haven’t been updated in a while can be incredibly risky. Your organization should always be aware of the changes to data privacy laws and the best way to do that is to include it within the policies.
Don’t take the lackadaisical approach of waiting for an incident to happen to update the policies. Regular reviews will not only make your policies more efficient, but it will also help gain the trust of your customers. The policy reviews could either be done by your CISO or head of the IT Operations. You should have a proper communication channel established where employees can reach out to the right person to answer any questions or concerns they may have.
In order to ensure complete data protection, your organization should have a clear understanding of all the data that could be at risk and therefore should implement proper security measures to protect them.
A well written and updated data classification policy should be in place to understand who the data belongs to. Organizations can then decide on the levels of protection they need to implement to protect the type of data they handle.
Most regulatory compliances encourage organizations to conduct a risk assessment at periodic intervals. Risk assessment is a process in which businesses list out the risks applicable to them and evaluate them. These risks will then be further treated or brought down to an acceptable level by using technical and operational controls. Operational controls would be following the policies you document, and other administrative safeguards used by your organization.
It’s not a bad idea to conduct internal audits either. An internal audit would give your upper management a clear idea on the current progress of your organization’s security infrastructure. The results of these audits could be documented and updates to the policies and current implementations can be done accordingly.
It’s important to have a proper data disposition policy too. You could conduct meetings with each team within your organization and make a list of all the records they maintain. Get legal guidance to get a proper picture of the retention period of each of these records. Make sure to dispose data when they are no longer required. Define ways in which the disposition will be done within the policy.
Strict access controls, both physical and electronic should be in place to minimize the occurrence of unauthorized disclosure or modification of confidential information.
Humans are often the weakest link when it comes to cybersecurity. We have heard this often enough, but unfortunately this still rings true today. It’s vital for organizations to conduct training and awareness sessions at periodic intervals to make sure employees fully understand their responsibility in maintaining data security and protecting the interests of customers and the company.
The responsibility of conducting these sessions could be shared between your HR team and Compliance or IT team. You could conduct an exam or hand out feedback forms at the end of each session to understand how helpful the session was and decide whether any changes need to be made.
In addition to covering general security practices, the session could also cover new data privacy laws and changes to the existing privacy laws. Build a team of experts within the company and make it their responsibility to ensure that all of your organization’s operational workflows, systems and tools are compliant with the legislative requirements.
No matter how stringent your security measures maybe, it’s always best to anticipate the occurrence of a data breach. Document an incident response plan and a business continuity plan and test it out at periodic intervals.
As these policies are specific to organizations, it’s ideal to get inputs from various teams such as your IT team, Development team, Facility team and System Admin. Set up reminders to make sure tests of these plans are carried out by the respective teams. This ensures the plan stays effective and employees always know what to do when an actual breach occurs.
It’s important to define proper roles and responsibilities within the incident response plan. This would give your employees a clear idea on who to report to when they suspect a breach has occurred. By documenting these roles, you show your customers and other stakeholders that your organization takes information security seriously and have all the right measures in place to ensure data protection.
In HIPAA, for instance, a covered entity should act on an individual’s request for access no later than 30 days after the request have been put forward. In case of GDPR, individuals can access personal information by submitting a DSAR (Data Subject Access Request) to the organization. Once the organization receives the DSAR, they’ll have to respond to it in a month.
UEM solutions help organizations improve data protection by smoothening out various hiccups on their road to being successful compliant with data privacy laws. Try Hexnode free for 14 days.Sign Up
This article and the information in it do not constitute legal advice and are intended to support customers in their compliance efforts.