The Ponemon Institute recently released their Second Annual Benchmark Survey on Patient Privacy and Data Security. The study focused on actual data loss experience from a sample of 72 healthcare organizations. Compared with last year’s data, results indicate a rise in both occurrence and costs. 96% of organizations admitted to suffering from at least one breach within the past 2 years. Based on the study, the estimated financial impact of a data breach is $2,243,700 per organization. When asked which types of negative impacts were directly caused, 81% reported time & productivity loss. Other responses included: fines & penalties (37%) and lawsuits (23%). These percentages are considerably high for preventable attributes. Results depict there is great need for the implementation of incident response plans. Once a breach occurs, there is no need for organizations to expend excessive amounts of time, energy, and additional money on fines and/or class-action suits. If proper notification and breach procedures are practiced beforehand and efficiently followed, these negative impacts can be eliminated.
Co3 Systems created a Top 10 breach/data loss objectives list that helps organizations with the necessary steps in preparation of potential data breach.
Top 10 Breach/Data Loss Objectives
#10: Know what & where your sensitive data is
- First, first initial and last name
- Social security number
- Bank number / access code
- Credit card number
- Drivers license number
- Unique biometric data
- State ID number
- Medical info
- Which states?
- Electronic & paper records
- File servers
- Storage systems
- Application servers
- End-points: PCs, laptops, mobile devices
- Paper records
#9: Get rid of the data whenever possible
- Delete it
- Replace it
- Obfuscate it
- Encrypt it
#8: Define your policies
- Processes to be followed by incident type
- Standardized interpretation of legal / regulatory requirements - Which apply? Which don’t? Under what circumstances?
- Standardized, consistent process through which all incidents are handled
- Contractual requirements you need to include?
#7: Run assessments
- Gauge impact of different data loss scenarios
Cyber breach, lost laptop, etc.
What tasks would you need to complete?
What fines might you be subject to?
- Complete privacy impact assessments for proposed projects
What data is being collected?
What would the impact be if the data were lost?
#6: Build an incident response
- Internal notifications / actions
- Consumer notifications
- Authority notifications
- Agency notifications
- Vendors / 3rd parties
#5: Identify and prepare your team
- IT, Legal, Compliance, Audit, Privacy, Marketing, Senior Executive
- Keep in mind external partners: legal, audit, security consultants, law enforcement, other partners
- Communicate responsibilities / share the load
- Practice (see “Run a fire drill”)
#4: Be ready to gather forensics
How will you gather the data you need?
- Network activity
- Hard drive forensics
- Memory forensics
- Access logs (IT and physical)
- Logistics (paper records)
#3: Have external resources ready
- Call center
- Notification fulfillment
- Credit monitoring
- Law enforcement
- Consultants/service providers: security, etc.
#2: Track everything
- Gauge performance
- Supporting auditing/reporting
- Identify problem areas/systems
- Catalyze improvement
- Calculate cost to close
#1: Run a simulation/fire drill
Don’t wait for the real thing – practice!
- Gauge organization preparedness
- Catalyze improvement
- Who’s missing from your team?
- Did you overlook a regulator?
- Do you need to add a partner?
Ted Julian is Chief Marketing Officer at Co3 Systems.