7 steps to help safeguard against breaches

October 29, 2012

At the same time the government is encouraging healthcare providers, doctors and insurance companies to digitize healthcare information, the landscape for attacking that info is increasing dramatically. Data beaches occur routinely, but data security experts warn about the vastly higher cost of waiting until a breach occurs, than doing the upfront work to prevent it.

"A security breach is an incredibly expensive problem," said Danny Creedon, managing director at Kroll Advisory Solutions, a company that deals in risk mitigation and response. "There's significant cost surrounding investigation, notification, remediating what occurred and putting in to place services like credit monitoring and identify theft service monitoring that have a monthly cost per person and remain in effect for some time.

"Unfortunately," he added, "most healthcare organizations don't take data security seriously until there's a breach," continued Creedon. "They never seem to have funds available to appropriately support a data security program until they actually have a breach. Then the funds seem endless."

It's more cost effective to perform risk assessment and remediate identified vulnerabilities now then to go through a breach response later. Creedon offered seven low-cost tips for healthcare providers or trading partners to perform self-risk assessment.

1. Cast a wide net. To get the most comprehensive assessment possible healthcare organizations will want to ensure the proper stakeholders are involved. This might include subject matter experts from cross-functional areas like IT and operations to human resources, or compliance and legal to other key supervisors or managers. Once those stakeholders have been identified, the next step is to establish protocols for tasks, timelines and communication among the team to ensure everything runs as smoothly as possible.

2. Fully scope the risk assessment. "During risk assessment, too many people focus on the technical side of things and forget about the organizational concern, which includes policy and procedures. Or, vice versa," said Creedon. Providers need to know the full scope of their compliance obligations. The HIPAA Security Rule requires "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI) held by the covered entity." However, if organizations are working on attesting to Stage 1 meaningful use, their focus will likely be narrowed to that which specifically applies to certified electronic health record (EHR) technology. For Stage 2, they'll need to ensure that they have addressed encryption and/or security of data at rest. Regardless of compliance requirements, make sure the scope of the assessment is clearly defined, and that teams understands and recognize the focus.

Previous
1

Showing 2 Comments

Tina Stewart say: Budgets Constrainted Until A Breach Occurs

November 01, 2012 | 17:15 PM GMT

Steff, it’s fascinating that time and again budgets are constrained until a breach occurs. As Danny Creedon said, a security breach is an incredibly expensive problem. And the cost is not only in the cleanup and mitigation. Collateral damage to a brand and the trust placed in the institution is huge. The steps you present are helpful. As the South Carolina Dept of Revenue is learning the hard way, hackers are using increasingly sophisticated mechanisms to penetrate networks and steal sensitive data. Skipping data security like encryption and access control is a recipe for disaster.@SocialTIS

pjcasey75 say: Add: #8: Conduct "Breach Drills"

October 31, 2012 | 19:01 PM GMT

Dealing with fire safety, we do not assume that all our efforts to prevent fires will be 100% effective, and neither should organizations pay exclusive attention to preventing security breaches. If so, you'll implement preventative measures galore, but still remain unprepared should the worst actually occur. The damage will be greater if you only plan to AVOID the worst instead of ALSO planning FOR the worst.

You'll be better off if you have personnel trained and policies in place to respond in a quick and orderly manner (just like the fire drill) to an actual breach. Too many security risk assessments focus ONLY on prevention, and fail to prepare to minimize (think fire extinguisher, close panic doors, turn on sprinkler system) and then mitigate (apply first aid training, CPR where necessary, drive the routes to ER, etc.) the damage of an actual breach.

Just as with a fire, the quicker you respond to a security breach, the better chance you have of minimizing the damage. For example, if a cell phone is lost, a phone which you suspect may have PI actually on it, or which may have stored id/password combinations which provide automatic access to otherwise secured areas (dumb idea, but it happens), does anyone know how to contact your cell phone carrier to instruct them to "wipe" that phone ASAP? Does anyone in your organization know how to do that? Does anyone even have AT&T's number (for example) on file anywhere (besides your smartphone, that you just lost?) If you wipe the phone within 24 hours, you may actually get to your customer's private data before somebody finds the lost phone to tamper with it. You may still have to disclose the breach, but at least the PI won't actually wind up being used in some Romanian internet cafe buying who knows what, who knows where. (In addition to this fine publication, I also read Wired a little too much.)

Do you know who to call to prepare and implement a large scale notification plan for your affected customers, and would you know how to provide identity theft coverage for them for 12 months, all within a week or two's time? If not, you're penalties may go up (as you don't have forever to respond to this disaster) and your reputation may be finished in any case if you can't react with the speed and integrity of a Johnson & Johnson after an historic product tampering scare.

Just as with fire safety, doing the drill may save you. Don't count on preventing fires alone. Otherwise, you will get burnt.