Ever have a moment of all-consuming worry that you accidentally sent an email to the wrong recipient? Well, the Pennsylvania-based health insurer UPMC Health Plan is living that nightmare in real time. According to The Pittsburgh Post-Gazette, UPMC's much-publicized data breach was apparently caused by an employee sending sensitive information via email to the wrong address. In turn, 722 members had their personal information exposed, including their…
- Insurance membership numbers.
- Birth dates.
- Phone numbers.
- Insurance plan types.
- Primary-care physicians.
If there were ever a case for an "undo send" button on email, this is it.
The email didn't detail patient medical records, but it did expose enough protected health information to merit a call to the Department of Health and Human Services. Though the breach is still being sorted out, revealing patient information is a HIPAA violation and may result in fines or other penalties.
There's no denying this breach is bad news, but there's a silver lining. It demonstrates you don't need to be a tech whiz to actively reduce your risk of data breaches. Let's review some best practices for good measure.
Easy Peasy Cyber Security Tips
You might be surprised by just how underprepared many small businesses are when it comes to protecting their data. For starters, many small-business owners don't have Cyber Liability Insurance, which is the only policy that can help pay for data breach cleanup costs (e.g., notification, credit monitoring, and security investigation). But no policy can prevent a data breach from happening, and that's why you've got to do what you can to secure your digital assets from the outset.
While simple exposures can have dastardly consequences, simple preventative measures can keep many leaks at bay. For example, you can significantly step up your cyber security by:
- Training and educating your employees. Bar none, this is the easiest way to prevent tiny slipups from becoming mega-dollar breaches. Your employees should know how to spot a phishing email (because 23 percent of small business employees still open them!), how to safely access your business's records and network from a personal device, and how to properly dispose of sensitive information.
- Double-checking email addresses before sending. At best, an email sent to the wrong recipient is a little unprofessional and embarrassing. At worst, confidential information gets out, as it did in the UPMC breach. Always make sure you and your employees double-check addresses before firing off important emails.
- Encrypting sensitive data. This is especially important if you transmit sensitive data. If the information falls into the wrong hands, the recipient or thief will need an encryption key to access it.
- Creating strong passwords and changing them regularly. Reusing old or easy passwords is like locking your door but leaving your window open. It's barely a hurdle for a thief. Read "5 Business Events that Should Trigger Password Changes" for tips on choosing complex passwords.
- Limiting access to sensitive information. Segment your network so only people who need access to your confidential data have it. If they leave their position, promptly revoke access privileges. More on that in "Treat Your Data Like a Picnic Basket to Minimize Breach Damage."
- Updating your software. If you keep forgetting to update your software, you're missing the latest security patches. That means hackers can exploit the known vulnerabilities in your systems (read more about that in "The #1 Reason to Update Your Software Today"). Send out memos so your employees update software as soon as patches are released to limit your exposures.
- Creating a BYOD policy. If you run a bring-your-own-device program, ensure you have a formal policy in place that outlines how business information is transmitted and stored on employees' personal devices. For more BYOD pointers, read "Why Buying Laptops for Your Employees May Be Cheaper than You Think."
Looking for more breach news and cyber security tips? Check out our data breach blog series.