The Ponemon Institute recently released their Second Annual Benchmark Survey on Patient Privacy and Data Security. The study focused on actual data loss experience from a sample of 72 healthcare organizations. Compared with last year’s data, results indicate a rise in both occurrence and costs. 96% of organizations admitted to suffering from at least one breach within the past 2 years. Based on the study, the estimated financial impact of a data breach is $2,243,700 per organization. When asked which types of negative impacts were directly caused, 81% reported time & productivity loss. Other responses included: fines & penalties (37%) and lawsuits (23%). These percentages are considerably high for preventable attributes. Results depict there is great need for the implementation of incident response plans. Once a breach occurs, there is no need for organizations to expend excessive amounts of time, energy, and additional money on fines and/or class-action suits. If proper notification and breach procedures are practiced beforehand and efficiently followed, these negative impacts can be eliminated.
Co3 Systems created a Top 10 breach/data loss objectives list that helps organizations with the necessary steps in preparation of potential data breach.
Top 10 Breach/Data Loss Objectives
#10: Know what & where your sensitive data is
- First, first initial and last name
- Social security number
- Bank number / access code
- Credit card number
- Drivers license number
- Unique biometric data
- State ID number
- Medical info
- Which states?
- Electronic & paper records
- File servers
- Storage systems
- Application servers
- End-points: PCs, laptops, mobile devices
- Paper records
#9: Get rid of the data whenever possible
- Delete it
- Replace it
- Obfuscate it
- Encrypt it
#8: Define your policies
- Processes to be followed by incident type
- Standardized interpretation of legal / regulatory requirements - Which apply? Which don’t? Under what circumstances?
- Standardized, consistent process through which all incidents are handled
- Contractual requirements you need to include?
#7: Run assessments
- Gauge impact of different data loss scenarios
Cyber breach, lost laptop, etc.
What tasks would you need to complete?
What fines might you be subject to?