Here is a fascinating story of how one healthcare operation used a very simple method to heighten their HIPAA security. And the irony here is that they did it without buying any IT gear whatsoever.
The story appeared in this blog post for another security vendor, SentinelOne. The author worked at a healthcare provider and describes a practice called the “HIPAA Sheriff.” The idea is to have peer enforcement of a few simple rules to promote better security on personal data that could be compromised. The Sheriff is appointed by a previous honoree.
Here is how you get nominated. First, you either display personal data on your PC screen, or leave a paper form on your desk in plain sight, and then walk away from your cubicle. If the Sheriff comes by and see this information, they appoint you the new Sheriff. You get a cheap plastic badge and plastic handcuffs. The job is “to look around, find someone else leaving unattended physical or network data, and pass on the sheriff’s regalia to them,” as the blog poster writes.
Call it public shaming, call it a game, call it whatever you wish. It is a great idea. “Documents on the way to the trash had to be guarded closely, and screen-savers vigilantly installed. It was an early form of HIPAA network security before network security really developed into what it is today.”
It is a brilliant idea. Too often we try to enforce policies with complex IT implementations that don’t really work in the “real world” or account for the various kinds of human behaviors. The forced password change policies come immediately to mind. If we require a humongous password length and complexity that almost guarantees no one can remember it, then ask that this be changed every 30 or 90 days, we are setting ourselves up for failure, and almost guaranteeing the profusion of sticky notes under the keyboard or on our monitors. The HIPAA Sheriff would have easy pickings.
Granted, I am not saying that having a HIPAA Sheriff should be your only line of defense – far from it. But my point is that sometimes we in IT tend to look for technology to solve everything, even when we can fix human behavior with a few simple steps and a quick visit to Toys’R’Us.
So take a closer look at what you can accomplish to improve your security posture with minimal IT, or at least without having to install complex systems. Here are a few examples:
- Do you have any security policies in your firewall or an intrusion detection system and you don’t remember why they were put there?
- Have you audited your Active Directory permissions list recently to verify that your users are still employed by your company?
- When was the last time you mapped your network infrastructure? Chances are, it's already outdated.
- Have you changed all your default passwords on all your network gear? Check them all again.
None of these activities require spending a lot of dough, or even a lot of time. As the blog post says, “Simply put, you have to guard the exits, and man the halls. You have to monitor every network endpoint. You have to treat a network as a multi-segmented organism instead of just a single container.” Let’s make appointing the next Sheriff a lot harder.
Read about increasing your security posture by reassessing your strategy