Top 5 Best Practices in Securing and Protecting Sensitive Data
_{June 5, 2018}

It has been proven again and again that traditional, old-school tools and methods for securing apps and data are insufficient to properly and completely address the threats looming in cyberspace. Healthcare organizations are at greater risk and the need to manage as well as reduce these cyber threats in ways that will protect data at rest, data in use and data in transit are increasing. The coverage the  chief privacy and security officers’ needed to protect are also getting bigger and bigger as the days goes by as the protection needs to be in place in facilities on premise, accessed remotely, utilized by mobile employees, technology by third-party consultants , outsourced suppliers and more.

Data security has never been more important especially that high prices are at stake! So here are our top 5 best practices in securing and protecting sensitive data:

1.  Secure the Database Servers

Database servers should be securely locked and with strong access controls in place. Also, keep the database in a separate physical machine. Doing this will ensure that even if the web server has been hacked, the data is still safe as the machine processing the database and the machine running the applications or web servers are separate.

2. Balance user-friendliness of apps and data with security controls

We are fortunate that there have been a lot of security defenses which are easily used and do not hinder the productivity of its users as well as effectively provides the required security in the system, apps and data. We of course do not want users to be frustrated in dealing with all of those security measures. We also want things to be easy for them so that their productivity is still at tip top shape.

3. Place an Efficient Audit and Monitoring Tool for Database Activities

There are security solutions that are able to provide complete and automated logging, reporting and monitoring of data and network access, data movement as well as network-level activities. An effective monitoring tool could easily spot when an account has been compromised i.e. unauthorized access has been recorded.  It should also make you aware when accounts are being shared and/or create alerts when accounts are created without permission.

4. Check and Analyze your Data Flow

This in particular is very important for covered entities dealing with business associates, third-party vendors and other outside business partners. Your organization must understand your data flow and make sure any vendors or BA are complying with your data security standards and that of federal regulated data security standards. Know what type of data security controls and solutions they are putting in place within their premises and facilities whenever they use and transmit data as well as how they manage the security enveloped in data at rest. Also, check how and when these third-party organizations are auditing their own security solutions.

5.  Separation of Duties and Responsibilities

No one person should assume roles which need to be taken care of by two individuals. One example is the roles of IT Security Officer and Database Administrator. These two positions should be manned separately. This will further ensure that no single professional or group controls access to information in the database without the supervision and approval of the CSO or Chief Security Officer. Consequently, data breach like that of Wiki-leaks can be prevented. Also, having this segregation of duties ensures that there is check and balance that facilitates the group to catch errors or shortcomings within the controls.

Follow these steps to make sure you’re doing your best to keep sensitive data secure. In reality, these are not only best practices but essential practices that should be considered if you wish to scratch cyber threats and data thefts off your worries-list.