How HR Helps IT Security Protect Sensitive Information
IT security is the first line of defense when it comes to protecting sensitive personal and enterprise information. They manage the tools, technology, processes, and policies that protect against threats that can cost real dollars. However, the best IT security strategies mean little without adoption and compliance from the people they are designed to protect.
HR professionals are an essential ally to IT teams and can help an organization build a culture of smart security practices through employee training, communication, and awareness activities. In healthcare, they also play a role in vetting third-party vendors who often store employee sensitive personal information, such as financial or health information.
What IT Security Protects Against
IT security teams protect private information from being accessed or frozen for both the organization and their employees. Information can include proprietary details of how your organization conducts its business, corporate financial information, and even the personal addresses, social security numbers, and banking information of employees. When it comes to healthcare, private (and HIPAA–protected) health information comes into consideration and introduces a brand-new level of risk for security professionals. Hackers can try to access this information in many ways, but the most common forms are data breaches and ransomware attacks.
Data breaches are unwanted or unauthorized disclosures of sensitive information, such as when hackers gain access in some way to protected information and export or copy this data to use or sell. According to Verizon’s 2023 Data Breach Investigations Report (DBIR), 74% of all breaches included a human element. Human elements include error, misuse of privilege, use of stolen credentials, and social engineering. If Protected Health Information (PHI) is stolen, it could lead to significant penalties on top of the breach’s costs.
Ransomware, a type of malware that cuts off access to systems and data until a large ransom is paid, can bring business to a screeching halt. The 2023 DBIR report says Ransomware is present in 24% of breaches and is ubiquitous among organizations of all sizes and industries. Even if the ransomed data is recovered without paying the ransom, the interruption to normal business and cost of reclaiming the data can be significant.
HR’s Role in Supporting IT Security
Clearly, the stakes are high and effective training and culture–building in your workforce is key to a solid foundation of data security. HR professionals play key roles in three ways:
According to Mercer’s 2020 Global Trends Study, 62% of executives say the greatest threat to their organization’s overall cybersecurity is employees’ failure to comply with data security rules. Even when equipped with technology and training, many executives worry that they lack the buy-in of their employees to follow procedure. The lack of a safety-minded culture in their workforce remains a concern.
HR professionals are the culture-setters for their organization. They are the primary source of messaging in terms of communicating the heart behind what an organization is doing and cultivating buy-in from its workforce. By helping corporate and IT leadership communicate with employees in an engaging manner, HR can create employee buy-in on policies and adoption of technology that can enhance the organization’s data security.
Education and Training
Beyond setting culture, HR is often involved in the planning and execution of IT security training developed to educate all employees, no matter their role, on how to recognize phishing attempts, ransomware attacks, social engineering, and more.
Training is critical in protecting organizations against threats targeting the human element that makes up 74% of all breaches. Employees may not recognize social engineering without training that provides them with helpful examples and context. The training must be engaging, relevant, and helpful to motivate employees to be aware of threats and adopt security practices. HR professionals and their experience working with employee training can help ensure that IT security training is positively influencing the workforce.
Vetting Vendors and Partners
Vendors and partnerships across industries can create extra avenues of risk if they have any access to sensitive company data. Vetting these organizations for their IT security practices and accreditations is key. HR can ensure that internal teams review prospective partners to ensure that their dedication to security matches yours.
Healthcare partners, specifically, can have access not just to sensitive company information but employees’ private information as well. Health records and data can include some of the most private information a person has including address of residence, social security number, and medication and diagnosis information. Healthcare partners need to be held to a high standard when it comes to company data and PHI. Look for vendors with relevant accreditations, such as HITRUST, and who conduct regular testing and auditing of their IT security posture.
From culture-building, training, and selecting trustworthy vendors and partners, HR professionals are a key element in ensuring the safety of your organization’s data. By building a strong partnership with your IT security team they can help ensure your protected information is safe and secure.
Premise Health’s dedication to IT security resulted in receiving full HITRUST accreditation and certification for the sixth year in a row. Additionally, our CISO was named to CISOs Connect Top 100 list. We know that being a valuable healthcare partner means being a secure partner.
Learn more about Premise’s dedication to being a trusted and secure partner to our clients and members.