Business runs on data and the procedures that safely store and manage it. Data security has become more complex as companies shift to remote or hybrid working environments, opening the door to potential data breaches or other cybersecurity challenges.
This potential liability is especially pertinent when it comes to hearing conservation data. Even the smallest program relies on sensitive information, which must be safeguarded against cyberattacks. A compliant process delivers the capability to store, access and work with data while employing best practices to keep data safe from hackers.
With this blog post, we’d like to walk you through how we keep our clients’ program data safe and share some practical and effective security tips and strategies to help you ensure your employees’ information is kept safe and secure.
We power occupational hearing programs nationwide with a solution rooted in security. Any successful hearing conservation program places significant importance on accurate employee data. SHOEBOX makes it easy to archive, view, manage and analyze your program data using our secure cloud-based server.
Since the pandemic, we’ve witnessed increased remote working across various industries. This shift in how we work has caused us to reevaluate our ideas about achieving regulatory compliance now that the typical workspace is no longer contained within the walls of a brick-and-mortar location. However, regulatory requirements for data privacy and security still apply, regardless if someone accesses sensitive personal health information remotely or at their place of employment. For Health & Safety Managers, this can pose new challenges to how data is managed as part of a hearing conservation program.
SHOEBOX’s web-based data management portal makes it possible to securely manage your program data with centralized controls and restricted access levels assigned to specific users. Audiometric results are encrypted and automatically uploaded to the SHOEBOX web portal whenever your devices are connected to a secure network. Only users with appropriate permission levels are granted access to employee records and demographic information. Access to test results, employee demographics, and data is significantly limited from the testing devices and only viewable by the program admins.
We recently worked with a mining company that had recently experienced a data breach that impacted their hearing conservation program data. For this company, the consequences of the data breach included significant penalties and fines levied by OSHA for security violations found during audits of their hearing conservation program. After searching for an alternative solution which could provide the security they needed to prevent future cyberattacks, and potential fines and penalties, this company chose SHOEBOX to power their workplace hearing testing program, feeling confident that their program data would be safe and secure moving forward.
The employer’s responsibility is to protect their employee information, and the negative consequences of a successful cyberattack can be felt for years. In addition to damaging the credibility of your company’s hearing conservation program, data breaches caused by a cyberattack can also jeopardize employee relationships and general trust in the organization, sometimes even resulting in litigation.
At SHOEBOX, we know the security of your data is critical. Unlike other solutions on the market, we elected to build our platform with an ISO 27001 framework instead of SOC 2. Both SOC 2 and ISO 27001 frameworks are well-regarded in North America; however, ISO 27001 provides greater detail on developing and maintaining an Information Security Management System (ISMS). To facilitate this compliance, we regularly conduct risk assessments, review security controls and analyze their effectiveness. SOC 2 in isolation doesn’t require the same data protection practices as ISO 27001.
Although you may not think your organization could fall victim to a cyber attack, data breaches are more common than you think. A recent survey conducted by KPMG discovered that two-thirds of participants anticipate that external fraud will likely increase within the following year. The survey also uncovered that 84 percent of participants believe the threat of cyber-attacks is rising, with 73 percent feeling that compliance risk will increase. Conversely, the same survey found that only 35 percent of respondents say their companies have adequate procedures to protect them from attacks.
One of the more notable instances of a cybersecurity breach involving PHI (Personal Healthcare Data) occurred in 2014 at Anthem, Inc. The company would eventually announce that 78.8 million data records were exposed due to a breach. The leaked information included names, addresses, birth dates, Medical IDs and Social Security Numbers. The consequences of this attack were vast, resulting in a $115 million class-action lawsuit from 100 separate cases and $260 million in remedial security measure HIPAA fines. In addition, the company was required to pay $16 million to the U.S. Department of Health & Human Services (HHS), the largest fine ever levied by the Office for Civil Rights.
Luckily, costly cyberattacks are preventable, and the following tips and strategies will help keep your sensitive information safe.
- Conduct Regular Security Awareness Training Across the Company
Staff errors cause most security breaches. So it’s crucial to ensure security is top of mind. Deliver regular employee training. Educate staff on the importance of security and how everyone plays a key role. Employee buy-in is a highly effective instrument against cyberattacks.
- Mandate Secure File Sharing Practices
As we shift more and more towards cloud computing, countless amounts of sensitive data are being uploaded and downloaded at any given moment. This increase in accessibility and collaboration can power innovation but can also open the door to increased cyber security risk. Ensure that any file sharing utilizes end-to-end encryption. In addition, run regular audits looking for security vulnerabilities and anomalies. For example, our secure hearing conservation data management portal can be accessed via a browser. In addition, patient data and test results are automatically backed up from iPads.
- Ensure Your Data Breach Plan is Readily Available To Your Employees
The HHS has clearly outlined immediate actions that must be taken in case of a breach (https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html). Having a well-thought-out internal data breach plan in place is vital, and it’s also essential to make these steps readily accessible. In addition, these actions should be well-tested and clearly state each person’s responsibilities.
- Ensure That All Company Software is Up-to-date
Outdated or unpatched software is a common vulnerability utilized in successful cyberattacks. Software manufacturers know this risk and usually devote heavy resources toward creating patches to address security vulnerabilities. Recommending that staff enable auto-updates is an excellent way to keep software up-to-date, but IT may still require support. For example, our solutions are automatically kept up-to-date; this ensures our client’s software is current without the burden of manual upgrading.
- Implement Robust Internal Processes and Review Access Controls
It’s crucial to map out how access to software and hardware is granted and removed. There are countless horror stories of ex-employees causing significant damage to a company because they could access company data and systems after termination. Ensure your organization has clear processes on how access is disabled when an employee leaves. This same logic applies to contractors and vendors. Keep a running list of all systems being accessed; this makes it easy to remove access immediately. Many organizations are now utilizing SSO (Single Sign-On) to authenticate all systems an employee uses. In addition, SSO makes it easier to remove or suspend user accounts by centralizing access control.
- Require the Use of Multi-factor Authentication (MFA)
Gone are the days of simple and easy-to-remember passwords. Instead, it’s recommended that companies utilize Multi-factor Authentication (MFA) as an authentication method. Users must provide at least two verification methods before gaining entry to secure information. MFA is a much better security method than simply using usernames and passwords.
- Protect Data with Current Anti-Virus and Malware Technology
Up-to-date anti-virus and malware tools are yet another effective and easy-to-manage security measure which plays a crucial role in protecting PHI. This technology is essential with the recent increase in remote working. In addition, many of these products are straightforward to install, and frequent updates significantly provide protection. An ongoing commitment to cybersecurity is something that must be taken seriously by any company, particularly when storing sensitive employee health information. Security has been at the foundation of our hearing conservation solution since day one and continues to be one of our primary focuses. Please let us know if you have any questions about how we protect our clients’ hearing program data or if you’d like to learn more about SHOEBOX.