While it's critical for healthcare organizations to provide data security and privacy training to users, they also should consider implementing technology to help prevent user mistakes that can lead to breaches of protected health information, says Geoffrey Bibby of ZixCorp.
"It's obviously important to continue to remain vigilant and disciplined in offering security awareness training, and making staff aware of the fact that you just really shouldn't ever be putting PHI in an unsecured communication channel like email or texting," Bibby says in an interview with Information Security Media Group to discuss the results of the 2015 Healthcare Information Security Today survey of information security and privacy leaders. "However, a safety net that we feel is important to go along with that training is to remove any need for user action in terms of being able to encrypt an email."
Registration for a webinar on the survey results is now available. Also coming soon is a full report with in-depth-analysis of the survey findings.
The survey shows the top measures that healthcare organizations are taking to prevent breaches in 2015 include improving staff training and implementing audit tools to enhance detection of unauthorized access. Also among the top measures they're taking are implementing encryption on mobile and other devices and implementing email encryption.
"Email encryption has progressed and evolved to a point now where you simply have to put in a policy-based email encryption solution and that removes any need for your users to have to concern themselves with whether or not they need to encrypt this sensitive mail or not," Bibby says. "Once the email passes through a gateway that your organization would have, it gets scanned for any sensitive content. And if there is any sensitive content, that would immediately trigger encryption, and it is sent in a secure fashion. So, that's one really simple way that someone can address a very major source of data loss, which is email."
Bibby advises against encrypting mobile devices to help prevent breaches. "We don't believe that encrypting mobile devices is the way to go," he says. "We fundamentally disagree that has to be the path that someone takes, and a lot of our customers ... support the fact that they just don't want the sensitive information on someone's mobile device in the first place."
In the interview, Bibby also discusses:
- How to avoid falling victim to phishing schemes;
- Important steps that healthcare entities can be taking right now to improve their overall information security and privacy programs;
- How secure email technology is evolving.
Bibby joined ZixCorp, a provider of secure email technology, in September 2003 and serves as vice president of corporate marketing. Before joining ZixCorp, he spent six years at Entrust Inc., an Internet security vendor, where he served in various management roles, including marketing director for Entrust European operations.