7 steps for healthcare facilities to armour their cyber security programmes

The world is facing an unprecedented cyber threat. The average consolidated cost of a data breach has risen to $4 million, and the average cost for each stolen record now sits at $158. Those numbers grow even larger once you begin to consider the harm a breach does to a business’s reputation.

Over time, industry has learned quite a bit about how breaches occur: 56% result from phishing attacks, with 30% of users opening phishing emails, and 12% clicking on the links contained within.

Nearly all computers use various software applications that require regular updates to protect against attacks. Technology moves at light speed, and so do those intent on stealing consumer information.

>See also: Cyber security in the NHS: useless operating systems and legacy applications

With this information in mind, where should healthcare facility administrators and receivables professionals look to minimise risk and maximise cyber security protection?

Start with these seven items

Ensure appropriate access control

Provide your employees with only the data they need to perform their jobs. Train your team, including C-level executives, on why these restrictions enhance data security. Specifically, access beyond what’s necessary often exacerbates ransomware attacks.

Bake your compliance and data security programs into everyday business – Keeping consumer information safe shouldn’t be a bolted-on summary process: It needs to be considered with the most granular of activities.

Consider data security and compliance when making shifts in technology or operations, and create authoritative IT policies followed daily.

Keep an eye on your vendors

Regulatory organisations, including the CFPB, have made it clear you are responsible for overseeing your service providers’ data security practices.

>See also: The inside man: your biggest risk may be closer than you think

That means conducting appropriate oversight for every firm, since their practice can impact the security of your own data. Send a security questionnaire or schedule an on-site visit. Too much to bear? Hire an outsourcer.

Brush up on consumer consent and revocation

Your payment arrangements, the TCPA and the FDCPA all matter when it comes to spousal communications, age of majority, doctrine of necessities, and the time, place or manner of calls you make. Document, document, document!

Get a handle on collection notices and letters

Know your validation notices and timelines for the first 30 days: Send a letter upon contact, validated by phone, get settlement letters in line and brush up on the ECOA.

Know your electronic payment requirements

There are many types of electronic payments, and each has different requirements for authorisation and authentication.

Are you aware of your options to appropriately document authorisation and payment arrangements? Your letters, recurring payment arrangements, the FDCPA, EFTA and Reg E all come to bear here.

Validate your data security

You might have the best people, the best process and exhaustive documentation of it all, but technology moves at light speed, and so do identity thieves. You won’t truly know if you’re secure if you don’t test your system with an independent audit.

>See also: Defining and defending the future of payments

Finally, and most importantly for organisational leaders: get involved. It’s essential to ask yourself what you are doing to make sure your company stays out of the news.

Most established facilities and firms have a formal compliance program, but many have yet to consider standards like PCI, HIPAA and the GLBA Safeguards Rule. Hopefully, you trust that your technical and operations staff are staying compliant – but how sure are you?

That’s an important question to ask in a time when data security matters more than ever. Don’t leave the answer to chance.


Sourced by Rozanne Andersen, J.D., vice president and chief compliance officer for Ontario Systems

She is responsible for leading Ontario Systems’ corporate efforts and response to the CFPB’s launch of compliance examinations in the ARM industry.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...