Risk Analysis: Mapping Your Data

Do you know where data goes when it enters your organization? Where is it stored? Who has access to it? Are there different levels of access with restrictions for some employees? What channels does it/can it exit the organization?

At the annual NIST HIPAA Security Conference, Suzanne Widup, the Senior Analyst with Verizon Enterprise Solutions presented their recent studies of data breaches across industries. She mentioned they often find that people have no idea where data is going when it enters their digital environment.

If you don’t take the time to map out where the data goes and is stored in your systems, how do you know it’s secure? And how do you ensure you can target any vulnerabilities and strengthen your cybersecurity practices?

In previous posts, we’ve discusses the importance (and the HIPAA requirement) of performing an annual risk assessment. Many of the questions relate to cybersecurity, but it’s important to keep in mind that ­­you don’t always know what you don’t know. If you haven’t before, or in a while, go back to basics and make sure you know where your data is going!

Some questions to start off with:

  • Are there passwords or PINs to access your data?
  • Are all employees restricted to accessing only the data that is necessary for their jobs?
  • What type of file systems is the data stored in?
  • How is the data transferred or shared within the organization?

As you begin to map out your system, make sure to pinpoint where you can and should add security. The most important question is ultimately, do you have the data encrypted and protected at each step along the way through your systems? Once you can confidently say yes, you can confidently tell your clients their information is safe in your hands.