Ophthalmology Patient Portal and Online Communication Editorial

Happy National Cyber Security Awareness Month!

It seems as though every month is designated an awareness month for some important cause. I’m sure you can think of examples. For October, two vitally important causes come to my mind. Of course, October is Breast Cancer Awareness month. Support groups, cause organizations and survivors have truly set the benchmark when it comes to creating awareness, education and empowerment around this incredibly important cause. Organizations like National Breast Cancer Foundation have drawn amazing attention to this disease and found success at driving solutions to issues of research, funding, early diagnosis, and ultimately a cure.

This editorial is not, however, about breast cancer awareness. Which leads to the second important cause for which October might be known, that is National Cyber Security Awareness Month. I have a suspicion that National Cyber Security Awareness Month does not share anywhere near the same name recognition as National Breast Cancer Awareness month. Granted, cyber awareness hasn’t been around for 25 years, like that other well-known organization. But the fact remains that we could learn a lot from the other organization about how to create more awareness around the concern of cyber awareness. So what is happening to draw attention on the cyber security front and what more needs to be done?

 Mike Papp,
 Security Manager &
 Privacy Officer

 Sophrona Solutions
 Minneapolis, MN

GLBA, SOX, PCI, and HIPAA, oh my!

Thanks to some significant lawsuits and corporate collapses, not to mention the many individual losses of personal savings, legislation has come down to really press public companies and companies who have financial/banking operations to increase security awareness and implement programs to diminish threats and limit impact of an information breach. It may be fair to argue that GLBA (Gramm-Leach-Bliley Act) and SOX (Sarbanes-Oxley) have done a lot to ensure the security of information passing through the relatively small security related space that falls under the auspice of GLBA or SOX.

PCI (Payment Card Industry) standards have done a lot to assure credit card transactions are safe from those who might try to steal our information. The fact remains, however, that most of PCI related breaches, occurr outside the space of large, level-one merchants (the Walmart’s, Target’s, and Home Depot’s of the world) where PCI enforcement is truly significant. Smaller companies, like the typical ophthalmology practice, are not as regulated. In fact, nearly one third of all credit card transactions occur through such small (level 4) merchants. For the 99% of all merchants who are considered level 4, PCI accreditation is self administrated and not subject to professional audit.

HIPAA (Health Insurance Portability and Accountability Act) has been the key driver around insuring that companies who handle patient medical information take steps to safeguard that information. However, unlike PCI, few clear and detailed security technology requirements exist - making it harder for an organization to prove it is compliant.  As such, no certification process exists today.

The new administration

One bit of good news brought about by our recent economic crisis, is that the Obama administration has injected billions of dollars into programs that help ensure security compliance. For instance, 19 billion in stimulus funding has been set aside (HITECH Act) for health care technology companies to implement systems that help ensure not only the effective exchange of medical information, but also strengthening and expanding the rules established under HIPAA for protecting the privacy and security of health information, including adding a business associate provision and breach reporting requirement.

The new administration has taken additional steps to ensure the recognition of cyber awareness, including an unprecedented focus to highlight the importance of cyber security to our national economy and naming a “cyber czar” position within the administration.

The cost of all these programs

Implementing all of the programs mentioned can be incredibly expensive. In our current national economic situation it can be hard to justify the spend. Luckily, audit requirements and the fines associated with being non-compliant are really helping enforcement among large companies. Small practices, however, are often tempted to place limited funding into revenue generating aspects of their business, leaving security largely to luck and prayer. Until enforcement, incentives, or effective awareness truly drive the decision making process, many small companies and individuals will continue to feel as though security is an optional nicety.

What can you do? Let’s simplify the complex

Taking a step back from corporate level security awareness, the largest onus for security could arguably be placed on the individual. Whether at your place of business or at home, awareness is the key to preventing breaches of information. Fact is, securing your information can seem daunting. However, simply following a few rules of thumb can go a long way towards providing protection.

1. Turn on your Internet firewall and utilize a recognized security method like WPA encryption or MAC addressing. I’m still amazed that I can drive to nearly any neighborhood and ‘scam’ an unsecure internet connection with my laptop.
2. Keep all your software current (including your Web browser) with automatic updating. Don’t ignore those automated messages to update your software. Those updates often times are addressing recently discovered security holes.
3. Install and maintain antivirus and antispy software. Only download software from a company you trust. It’s not good enough to just have anti-virus any longer. Anti-spyware is just as important to prevent others from ‘phishing’ for your bank accounts, passwords or other information.
4. Develop a healthy distrust. Don’t open email attachments from un-trusted sources.
5. Manage your passwords. Change your passwords regularly, don’t use your pet’s or your children’s names, and be sure to utilize ‘strong’ password techniques by adding symbols, special characters or numbers to your password sequence.