While breaches of personally identifiable information (PII) and protected health information (PHI) garner all the media attention, PHI and PII is not the only data at risk within your business. Loss of any form of sensitive information to any nefarious source can create issues that can cripple your business in multiple ways.
Cybercriminals stalk the internet looking for everything of value — and that includes more than just credit card numbers and patients’ medical information. In fact, there is a long list of sensitive information that is at risk.
For example, your product designs, business plans, and partner lists all have value to competitors. Your employee and customer contact information is ripe for phishing attacks. Your client data could provide the missing pieces to information that scammers have obtained elsewhere.
Everything is For Sale
Hackers now work on a similar principle to vehicle “chop shop”, selling every scrap of aquired resources (your information) to gain maximum value from a hack.
According to the NACD Cyber-Risk Oversight Handbook from the National Association of Corporate Directors: “Organizations are at risk from the loss of IP and trading algorithms, destroyed or altered data, declining public confidence, harm to reputation, disruption to critical infrastructure, and new legal and regulatory sanctions. Each of these risks can adversely affect competitive positioning, stock price, and shareholder value.”
Expand Your Security Beyond Personal Data
Even if you think your organization is not at risk for data breaches because you don’t, for example, handle a lot of personal information, you are still at risk of a cyber breach for any information you are not protecting. Further, when healthcare organizations are focused solely on basic compliance and security issues, they leave a lot of other valuable data at risk of a breach.
Instead of giving cybercriminals unsecured access to any sensitive data in your organization, you can create a broader security plan that includes the following data, along with PHI.
• Patient and customer lists.
• Employee payroll records.
• Employee email lists.
• Employee health and medical records.
• Employee login credentials.
• Business and personal financial records.
• Contractor and supplier data.
• Contracts with customers, suppliers, distributors, and joint venture partners.
• Business leads and enquiries.
• Product design and development plans.
• Legal, tax, and financial correspondence.
• Business plans, including merger or acquisition strategies, bids, etc.
• Marketing plans.
• Trading algorithms.
• Facilities information, including plant and equipment designs, maps, and future plans
• Source code.
This is not to say that all data needs to be secured in the same way. You can create a multi-level data security system that, for example, assigns access rights to specific data.
Clearwater Compliance helps healthcare organizations of all sizes create comprehensive and robust information risk management programs that protect any and all sensitive information.
We also provide educational courses on data risks and security measures. We currently offer 10 Educational Tracks for 2015-16, with pre-registration now open for three. Every course will guide you step-by-step through a set of resources to help build and strengthen your understanding of important compliance and information risk management impacting today’s healthcare organizations.
Register for our free Information Risk Management Educational track:
Get a bite-sized email each week with educational resources, designed to take you step by step through the best practices for establishing a robust IRM program.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016