Credit cards with computer chips in them. New online passwords every 30 days with capital letters and numbers and symbols. Everywhere we turn these days, companies seem to be going to great new lengths to protect their employees’ and customers’ personal digital information against cyber threats.
There’s good reason for that. Organizations ranging from Home Depot to the Federal Government have suffered serious data breaches over the course of the past several years. The healthcare industry appears to be particularly susceptible to breaches, with over 112 million individual records having been compromised in 2015. With so many different companies suffering from breaches and increased scrutiny around hacks, now is a good time for employers to ensure that they’re doing everything they need to in order to remain compliant, and protect their employees from cyber threats.
If you’re an employer sponsor of a group health plan, chances are you’re already subject to privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). When thinking about cyber threats that impact you directly, the focus should be on the electronic protected health information of your employees. The first step in protecting employee information is making sure that your plan is compliant with HIPAA’s security rules. That includes implementing safeguards on multiple levels, including administrative, physical, technical, and organizational safeguards. These can run the gamut from tasks as simple as updating the access control to your facility (physical), or as intricate as ensuring that any data stored online is protected by appropriate firewalls and encryption (technical). Ultimately, the best thing you can do to ensure the safety of both your organization and your employees’ information is to be sure you’re HIPAA compliant. If you aren’t certain of your compliance right now, consider consulting legal counsel or a third party HIPAA consultant.
What are some other steps that groups are taking to make sure their data doesn’t get into the wrong hands? One is educating all employees, regardless of their role, about cybersecurity and IT issues and risks management. Make sure that your company has a uniformly enforced policy for mobile device usage – especially for personally owned devices – in order to help protect sensitive information. Finally, don’t wait until you experience a breach to learn how to respond. Make sure your affected teams are well versed in their response procedures in the event of an incident.