All This Data, All This Risk

We’ve talked a lot about data and information in this series, and in previous ones. But with collecting and storing data comes significant risk. Every day we hear about malware, hacks, ransom demands, phishing scams that can paralyze an organization and put sensitive data about clients and staff at risk. As demand for data grows – as payers demand more information about health and its social determinants to evaluate provider performance, consumer health status and risk factors, and generate metadata analyses for better prediction, as does the risk.

Data breaches are increasingly common and can have devastating effects. Organizations face risks related to their IT systems, which may (and, in fact, do) have vulnerabilities its users are not aware of. Tech solutions mitigate the risk, but security costs are often very high and none is foolproof. At the same time, each of us is connected to an ever-growing number of apps that require passwords – and the best passwords are complex, difficult to remember, and should be changed frequently. And that’s the part end users control.

Mitigating Data Security Risks at Behavioral Health Organizations

In addition to Protected Health Information (PHI) on its clients, many organizations also have vulnerable personal data about clients and staff, such as driver’s license and social security numbers, and some store credit card information; all are data that can be used for identity theft. Though many organizations carry – and should do so – cyber liability policies, these do not undo the potential harm (and cost) a breach can cause to clients, the staff, and the organization. Mitigating these risks is a complex endeavor that requires investment in system upgrades that promote security; but, if not more important, it requires engaging staff in detecting and deflecting potential hackers.

Approaches to Data Security

At ContinuumCloud’s September ACCELERATE Conference, attendees heard from Robert Greene, CIO at Aspire Health Partners, about creative approaches to engaging staff. One of the key points that I noted was that this is not a one-and-done endeavor. We may all have included security during the onboarding process, we may require staff to change passwords every few weeks or months, but neither is sufficient in today’s environment. Newer approaches include two-factor authentication and biometrics, and recently the technology that is emerging may move us away from passwords to better, less hackable ways to verify a user.

But for now, organizations must encourage staff to remain vigilant and engaged. Training is certainly important. Through it you can establish the why – how the vulnerability can play out and the importance of protecting the client, the staff, the data, and the organization. Policies should make clear that there are consequences for violating security policies (e.g., sharing a password, leaving data exposed or unsecured, prohibitions on bringing thumb drives or uploading apps on company equipment). Once trained, however, staff can become complacent – and the bad actors are increasingly clever about tricking even sophisticated and vigilant users.

Gamification as a Learning Tool

Among the recommendations Greene made are making training and awareness-building activities into games that challenge staff to identify risks and rate their perception of how safe their organization or department is. He had attendees engage in a Dungeons and Dragons style game where points were awarded based on a D&D die and the correctness of the answer. It was entertaining and made you think as well as learn from the correct answer and the not so correct answer. I liked this approach because it was engaging and the questions could be shaped for different types of staff and departments – from IT itself to end users at every level.

Another aid is sending phishing emails internally to test users’ vulnerability to emails that pretend to come from within the organization and then to work with those who fall for it on how they might have detected the ruse. While many email systems now help in this process, most hacks start with a user vulnerability and ruse. When this approach is first implemented, organizations find that a majority are fooled. With training and awareness provided in an engaging manner, the number can decline precipitously.

Data Security is Everyone’s Job

While many of us think that digital security is IT’s problem, in reality it falls to every member of an organization to protect the data and operation of the organization. While there are many aspects that do fall to IT in how the system is set up and the recovery mechanisms they establish, we humans as end users, are often a weak link. Organizations that engage staff in protective strategies will fare best in what is an increasingly challenging data security environment.

About the Author

Maggie Labarta

Maggie Labarta is Founder and Consultant at Impact Non-profit Consulting, having previously retired as CEO of Meridian Behavioral Healthcare. Labarta holds a Ph.D. in Clinical and Community Psychology and has extensive experience in both administration and clinical practice. She also has particular expertise in strategic planning, data and analytics as management tools, and organizational development. She provides consultative services for numerous community organizations.

More Content by ContinuumCloud
Previous Resources
2024 Behavioral Health Industry Trends Report
2024 Behavioral Health Industry Trends Report

Discover the latest trends, challenges, and strategies in behavioral health in our 2024 industry report.

Next Resource
Productivity: Tool or Burden, Motivator or Downer
Productivity: Tool or Burden, Motivator or Downer

Before measuring and addressing productivity, it's important to carefully consider your metrics, language, ...