Top 10 Breach/Data Loss Objectives

The Ponemon Institute recently released their Second Annual Benchmark Survey on Patient Privacy and Data Security. The study focused on actual data loss experience from a sample of 72 healthcare organizations. Compared with last year’s data, results indicate a rise in both occurrence and costs. 96% of organizations admitted to suffering from at least one breach within the past 2 years. Based on the study, the estimated financial impact of a data breach is $2,243,700 per organization. When asked which types of negative impacts were directly caused, 81% reported time & productivity loss. Other responses included: fines & penalties (37%) and lawsuits (23%). These percentages are considerably high for preventable attributes. Results depict there is great need for the implementation of incident response plans. Once a breach occurs, there is no need for organizations to expend excessive amounts of time, energy, and additional money on fines and/or class-action suits. If proper notification and breach procedures are practiced beforehand and efficiently followed, these negative impacts can be eliminated.

Co3 Systems created a Top 10 breach/data loss objectives list that helps organizations with the necessary steps in preparation of potential data breach.

Top 10 Breach/Data Loss Objectives

#10:  Know what & where your sensitive data is

What

• First, first initial and last name
• Social security number
• Bank number / access code
• Credit card number
• Drivers license number
• Unique biometric data
• Fingerprints
• State ID number
• Medical info
• Which states?
• Electronic & paper records

Where

• File servers
• Storage systems
• Application servers
• End-points:  PCs, laptops, mobile devices
• Paper records

#9: Get rid of the data whenever possible

• Delete it
• Replace it
• Obfuscate it
• Encrypt it

 #8: Define your policies

• Processes to be followed by incident type
• Standardized interpretation of legal / regulatory requirements - Which apply?  Which don’t?  Under what circumstances?
• Standardized, consistent process through which all incidents are handled
• Contractual requirements you need to include?

 #7: Run assessments

• Gauge impact of different data loss scenarios

Cyber breach, lost laptop, etc.

What tasks would you need to complete?

What fines might you be subject to?