John Bandler, author of the book, “Cybersecurity for the Home and Office: The Lawyer's Guide to Taking Charge of Your Own Information Security,” will be a speaker at the 13th Annual RISE Nashville Summit in March 2019. In this article, RISE talks to Bandler about the four pillars of cybersecurity that health plans must follow to protect their organizations and members from fraud, identity theft, and cyber attacks.

More than half of health care data breaches are the result of internal problems within organizations and not external factors, according to a recent study from Michigan State University and Johns Hopkins University.

One quarter of all the cases were due to unauthorized access or disclosures, more than twice the amount that were caused by external hackers, according to the research letter published in JAMA Internal Medicine. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content,” says John (Xuefeng) Jiang, the lead author of the study.

The fact that an individual employee can be the weak link doesn’t surprise John Bandler, an attorney and consultant who helps businesses, professionals, and individuals with cybersecurity and information security, cybercrime investigations, as well as traditional investigations, anti-fraud, compliance, governance, and other areas. Bandler, founder of Bandler Law Firm PLLC and Bandler Group LLC, says the lesson is that everyone needs to learn about health care information security and cyber security.

“Even if you have the best tools, firewalls, and antivirus protection, an individual employee can click on a link, download an attachment and make a bad decision that can lead to a breach,” says Bandler, who will co-present a session on cybersecurity at the 13th Annual RISE Nashville Summit, March 17-19, 2019 at the Gaylord Opryland Resort. “Part of what I preach is cybersecurity starts with each person.”

He recommends that health care organizations take the following steps, what Bandler refers to as the “four pillars” of cybersecurity, to help educate employees about the dangers of cyber threats and hacks.

1. Improve your knowledge and awareness: Bandler explains that when you drive a car, you have enough awareness of how a car works, and what the brakes and steering wheel do. Therefore, when it rains, you know that the road becomes slippery and you must take extra caution. The same is true for information security, he says. “If you have enough knowledge about how a computer works and where the data is, it helps you make better decisions. If you have no knowledge or no awareness, it’s hard to make a good decision about whether you should click on that link,” he says.

2. Secure all your devices. A lot of problems are due to people not following the simple basics. First, don’t lose your smartphone, tablet, or laptop, he says. Next, Bandler recommends that you put a password on the devices and consider encryption (a process that encodes information so that only those authorized can access the information).

3. Secure your data. This means that people must understand where the data is located. Some people think their data is in the phone because that’s where they get their information, Bandler says. They don’t understand that data on devices is in the cloud. Once they understand, they can take steps to secure cloud data. “One way is to back it up and another is to secure cloud data with two-factor authentication,” he says.  The two methods of authentication provide an extra layer of security because it not only requires a password and username, it may involve a code that the person receives via text on their smart phone to access the data.

4. Secure your networks and your Internet usage. This is more complicated because it means people must be careful about what they share on networks. “Think of it like a cocktail party where anyone can overhear what you are saying. Now think about it in the context of transmitting data through the Internet. When you send data through the Internet or a public network, it’s as if you are putting it on a postcard and anyone along the way could see the information," Bandler says. He recommends that health care organizations consider encryption to help prevent interference.

To learn more, Bandler will be discussing cybersecurity with David Andrews, chief technology officer of Visualize Health, at the 13th Annual RISE Nashville Summit, March 17-19, 2019 at the Gaylord Opryland Resort.