When handling sensitive PHI (protected health information) and PII (personally identifiable information), the number-one priority needs to be safeguarding the data across its entire journey. That means protecting that information across all possible paths through which it can be created, processed, accessed, and communicated.
According to the 2018 Verizon Data Breach Investigations Report, the healthcare industry has the highest rate of data breach incidents caused internally, at 56%. We take this seriously at Evive, leading us to our data-safeguarding philosophy: Be methodically paranoid. This guiding principle is what drives our three pillars of security strategy: security immune system, cyber-hygiene exercises, and incident-response readiness. Having battle-tested practices and processes in place to maintain this philosophy ultimately earned us our HITRUST CSF Certification, further validating our promise to protect sensitive information.
We have a humble respect for the massive challenge in front of us, so we instill these values and practices across our entire company—from the executives to the operations team and everyone in between. We use actionable playbooks to tirelessly practice responses to issues with everyone in the organization.
It’s important for us to be transparent about our unique approach to data safeguarding, just as we are with data privacy. Just how do we build that framework? Below are the three ways we’ve defined our security strategy:
1. Constantly fortify enterprise-wide security immune system
This is our company’s collective capability to detect and fight off threats. Every employee takes responsibility for protecting our security immune system. Part of that responsibility is detecting things like phishing attacks, and most importantly, reporting them in a timely manner.
We cannot solely rely on tools like firewall and intrusion detection systems; each person plays a critical role in safeguarding. Many breached companies have deployed state-of-the-art security tools and appliances, but their weakest link can end up being employees who have not been properly trained in defense against cyber threats.
2. Step up the cyber hygiene
Improving cyber hygiene is about strictly following proven cyber-security practices on a regular basis. For instance, employees are trained to always be alert to suspicious emails and other social-engineering threats, and to know how to identify even the most sophisticated phishing patterns in them. The focus of cyber-security is on data safeguarding practices, such as data loss prevention (DLP) and encryption of sensitive data at all times—in transit and at rest. Evive deploys advanced and multi-tiered data loss prevention controls at all end points and devices to detect any deviation from the established data-protection policies. This trust and verified approach is yet another demonstration of being methodically paranoid.
These are examples of key tips we impart to our employees. We consistently review such practices with them and ensure they know why the practices matter.
3. Practice the actionable playbook for security and privacy incidents
It’s one thing to know what our strategy is. It’s another to put it into action when the time calls for it. We train and test executives and frontline employees alike on their abilities to detect phishing emails and other security threats. We give them the opportunity to tap into that playbook to fight the threat off, and when they demonstrate that they know how and when to take action by reporting the incident, they are allowed to access sensitive information.
Instilling that commitment internally
Consistent with Evive’s business philosophy of nudging members toward healthy lifestyles, our security team shares data-flow stats to nudge our employees toward better cyber-hygiene practices. By continuing to keep our employees updated on security risks, as well as ways to prevent them, we keep our philosophy strong and our security framework in tact.
We’re always measuring the success of our team’s responses to cyber-hygiene practices, and we’re always reporting back on the results. This ensures we stay transparent in where we stand and what the right things are to do. In the end, the urgency behind this transparency brings us back to what Evive does in the first place—take care of real lives every day.