According to IBM Security, almost 100,000,000 healthcare records were compromised in 2015. Data breaches are a serious problem across industries, especially in healthcare. We are all at risk from our healthcare records being hacked. The article Why change management needs review by IT security addresses the “elephant in the room” by recommending that the IT department participate in change management policies and procedures.
“Investigations conducted by the HHS Office for Civil Rights often reveal that healthcare organizations fail to implement policies and procedures to prevent security violations or effectively manage risk1.”
The graph below display the healthcare hacks by type. Malware, physical theft, human error and phishing can all be reduced through IT security training. Educating users is key. Phishing attacks can be thwarted by educating users not to open email attachments and hyperlinks from unknown senders. In addition, malware can be reduced through monitoring and maintaining servers and computers.
Here are the recommendations for key steps in an effective change management process1:
- Document and implement a change management policy and procedure and ensure the process oversees and monitors all changes to existing and new technologies such as servers, desktops, applications and databases.
- Establish a detailed process flow for applying the change with back-out plans and integrate security reviews prior to a change and post introduction to validate installation is consistent with security requirements.
- Define and assign roles and responsibilities to coordinate, document, communicate and approve change requests and ensure that only those individuals authorized to carry out a change, has the relevant access and that all necessary approvals are received prior to a change being introduced.
- Establish and regularly assemble a Change Advisory Board, composed of technical and business membership, while communicating change plans to all stakeholders within a reasonable time prior to the scheduled change.
- Test the change in a non-production environment prior to implementing any change in the production environment.
- Ensure the asset inventory is updated whenever a technology is added, modified or removed from the environment, including the installation of software and software patches to provide an accurate and complete view of organizational assets.
- Provide ongoing training and communications to ensure users thoroughly understand and follow the change management process and its value to the organization.
- Track approvals, decisions and variances in a change management repository including the associated rationale behind decisions made and ensure all changes are carefully documented.
- Establish metrics to provide a process baseline, determine the effect of process improvements, identify areas where the process may be ineffectual or broken, and assess improvements that could make the process more effective or efficient.
If you are unsure whether or not your company is HIPPA compliant contact Zerofail Southeast for an assessment at firstname.lastname@example.org.