If you work in IT, the words “data breach” likely send shivers down your spine. If you work in IT for a human services agency, the stakes are even higher.
No one—agency or vendor—wants to be responsible for a security breach, ransomware attack, or data loss that compromises your system integrity, threatens your clients’ privacy, or delays your agency’s ability to deliver services to the people who rely on you.
Of course, there’s the financial aspect to consider as well. For example, Sophos’ 2023 State of Ransomware report cites $1.8 million as an estimated mean cost to recover from ransomware attacks (excluding ransoms paid) when you add up the costs of downtime, people time, device/network cost, and other factors. Further, research blog Comparitech says 423 individual ransomware attacks on US government organizations between 2018 and 2023 potentially impacted more than 250 million people and cost over $860 million in downtime.
Considering these statistics, it’s no surprise that cybersecurity has been a priority for state CIOs for over a decade now. (It’s also worth noting that in 2024 both cybersecurity AND digital government topped NASCIO’s annual list.) Here are some key things human services agencies should do to prevent common cybersecurity problems from happening in the first place.
Store your data in a secure cloud environment.
Human services agencies that regularly manage personally identifiable information (PII), information protected under HIPAA, and other valuable data are a prime target for cyber-attacks. Storing data on-premises can increase your agency’s vulnerability footprint, whereas moving it to the cloud allows for more specialized security and privacy measures.
For example, Northwoods partners with Amazon Web Services (AWS) to securely store our customer’s data in the cloud. We leverage the services and tools AWS provides to build and operate our solutions securely, using FedRAMP- and HIPAA-compliant services.
Prioritize cloud-first software.
Cloud options are overwhelming, we know. Each type of cloud computing, cloud services, and cloud environment has its advantages and limitations, but we believe technology that’s designed for cloud architecture (cloud-first) is the best option for human services. A few of the many reasons why:
- Flexibility. Cloud-first tools can evolve as policies and requirements do, without compromising security.
- Scalability. Cloud-first technology can scale quickly with minimal added effort. This also makes it easier to keep up with increasing load on the application services as utilization increases over time.
- Immediate updates. Ensuring software is always up to date is key in mitigating or responding to security risks. Plus, agencies avoid downtime since they don’t have to schedule upgrades and deploy time-consuming changes.
Northwoods fully embraced the cloud mindset when building Traverse®, which also allows us constantly refine and enhance our web and mobile applications to provide additional value.
Test your backups and restores.
Ransomware. Hardware failure. Human error. Natural disaster. In any of these events, minimal turnaround time to get back online is key to avoiding any major data loss or disruption. Whether your systems are cloud-based, on-prem, or a combination of both (hybrid), regularly testing your backup and restore procedures is one way to ensure you can recover quickly.
For example, for our Traverse customers, we take full advantage of AWS cloud services to architect a highly available and scalable modern web application. Our robust solution ensures data is stored on redundant and fault-tolerant hardware to avoid service disruptions. Backups are taken regularly, and we exercise our restore process frequently.
Regularly review system access and permissions.
This helps ensure only those that need access to data have it. People are using more and more applications to do their work, so making sure that the appropriate access and permissions are configured for them is critical to ensure data security.
A great way to efficiently handle access and permissions is to use solutions that leverage single sign-on (SSO) capabilities and multifactor authentication (MFA). Taking advantage of SSO allows you to manage your users in one system and have those settings used by other applications. You can enforce your own password policies, audit logs, and permissions in a standard way.
MFA also adds a layer of protection and makes it more difficult for someone to steal information. (Okta’s blog on why MFA is important offers additional insight on this.) Another best practice here is to make sure applications build in measures to validate that the person accessing the software is in fact that person. For example, using biometric data (think facial recognition) or requiring the user to enter a verification code.
Traverse provides single sign-on capabilities that allow for muti-factor authentication to improve security and user experience. Workers don’t have to worry about yet another name and password to remember, which also supports their ability to easily access or collect information when engaging clients. This reduces IT burdens associated with user management because the process of adding or deactivating users is more efficient and less prone to human error.
Find reliable software partners.
At the end of the day, your agency’s IT resources are already stretched so thin. It’s nearly impossible to be effective managing cybersecurity on top of everything else (read more on the pitfalls of this DIY mentality here), especially when so many software and cloud providers can bear the burden—and the associated costs—for you.
Trusted software partners will be well-versed in security and privacy and have these types of advanced measures built into their tools. They’ll monitor for network intrusions, ensure uptime and performance, and constantly be testing for vulnerabilities.
For example, here are some additional privacy and security measures that Northwoods employs:
- Our dedicated teams continuously monitor our solutions, test for vulnerabilities, and optimize our solutions to work efficiently and securely.
- We continuously integrate to minimize duplicate data and potential errors, while increasing availability.
- We regularly submit ourselves to audits (e.g., SOC2 and AWS Well-Architected Reviews) and remediate anything we find.
- Our teams take regular security training and attend security conferences and events to stay up to date on trends and potential threats.
What’s Next? Cybersecurity Questions for Human Services Technology Vendors
As you vet a potential vendor or solution for security and technical specifications, use this list of questions to make sure all your bases are covered.
- What’s your organization’s level of sophistication with hosting technology solutions in the cloud? What service provider(s) do you partner with and what’s their experience?
- How are you going to secure our data? How is it encrypted (both in-transit and at rest)?
- How will you integrate with our existing systems? How frequently will data be exchanged?
- What kind of access permissions are needed (e.g., read-only access or read-and-write access) to get to our data?
- How is your software application monitored?
- Do you use Fed RAMP-compliant and/or HIPAA-compliant services? What are you doing to prove compliance with these controls? How often do you audit your security/privacy controls?
- How durable is your system?
- What backup and recovery process do you have in place? How do you handle a failover? What’s your fault tolerance? What is your uptime SLA (service level agreement)?
- How do you authenticate users to the system? What third-party authentication providers can you integrate with?
- Will our data be isolated from other customers? Will we have to share services?
- How often do you identify and correct issues or vulnerabilities in your software?
- Do you have a dedicated DevOps or security team that’s actively monitoring and caring for the system?
- What other safety and privacy measures are built in?
You should always ask to see a company’s audit results, such as their SOC2 audit report, and third-party attestations to validate their claims as well.
Even if you’re not directly responsible for cybersecurity, it’s good to be aware of these best practices to protect your agency from a costly mistake. Have additional questions or concerns? We’re happy to help! Read our eBook on leveraging cloud technology for human services for more best practices.