How to Maximize Your Personal Health Data Defense

Gates.  Alarm systems.  Security guards.  What do they all have in common?  They are the first line of defense protecting what is most important to you.  If an attacker were to get past that guard, would you still be protected?

In the Information Security community, we use what is called a defense-in-depth, or layered, approach.  This means that if one aspect of our defense fails, there are many others to fall back on.  We call this eliminating a single point of failure. 

To illustrate this point, imagine all of your data as if it were clothing in a suitcase.  A single point of failure would be securing that suitcase with the little lock that comes with it when you buy it.  A layered defense would be to put each clothing item into a sealed bag, and then all of those bags into another sealed and locked bag, put that bag into the locked suitcase, wrap the suitcase in cling film, put a few bike chains around it, and then put the whole suitcase into a big safe.  If an attacker were to get through any single one of those protections, the suitcase would still be relatively protected.

So, what does this mean for your healthcare data?  Our healthcare-related data is some of the most important and sensitive data that we own.  It is absolutely critical to approach protecting it from a layered defense mindset.  We can do this by distilling down four simple controls: inventory, configuration, access control, and maintenance.

Step One: Inventory. 

Know what is on your network!  Make a list of the devices on your home network.  This means anything with an Internet connection.  This includes smartphones, tablets, computers, and especially smart devices such as Alexa, thermostats, and home security systems.  Next, make a list of all of the software on your systems so that you know what programs may have access to your data. 

Step Two: Configuration

Be aware of what software and applications on your devices are allowed to access different aspects of your data.  Can a game app access your microphone, camera, and photos?  Does it need to?  If not, turn off that permission.  Most commonly, these permissions can be found in the Settings or Privacy menu either of the application or on the device itself.  Modify these settings to avoid giving too much access.  It’s better to deny everything and allow as needed instead of the other way around

Step Three: Access Control

Whether you live at home alone, with family, roommates, or just your dog, figure out who has physical and electronic access to your devices and data.  This goes hand-in-hand with Step Two.  A great antivirus can’t protect you against a burglar physically stealing your device.  If you have printed medical documents, lock them up in a file cabinet.  Make sure that electronics and healthcare apps like MyChart have passcodes on them to avoid unauthorized access.

Step Four: Maintenance

So you got it all nice and secure.  Now what?  Check up on it regularly.  Updates happen.  New apps and software get downloaded.  Devices get upgraded to newer models.  When these things happen, permissions change.  Even if everything stays exactly the same, it’s good practice to just scroll through permissions once in a while.  It’s like getting the oil changed on your car.  Even if nothing is knocking and sputtering (yet), it keeps the whole system in good working order.  Set a calendar reminder every three to six months to give everything a once over.

Remember: inventory, configuration, access control, and maintenance. 

Know what you have, where you have it, how it uses your data, who has access to it, and how to maintain it.

Congratulations! Now you’re thinking like a cybersecurity professional.