Friday, February 22, 2013

A Reminder That Security Does Not Come About By Accident But Needs To Be Planned For.

This useful summary popped into the inbox during the break.

11 data security tips for a healthy organization in 2013

By Rick Kam, President and co-founder ID Experts
2013 is the Year of the Snake in Chinese culture. In the healthcare world, I predict 2013 will be the Year of the Data Breach. The numbers back me up: 94 percent of healthcare organizations surveyed suffered data breaches, according to the Third Annual Benchmark Study on Patient Privacy & Data Security, a report recently issued by Ponemon Institute. Given their frequency, data breaches have become what I call an everyday disaster.
Healthcare organizations want and need to protect against organizational and financial stresses of data breaches, but the pervasive nature of electronic protected health information (PHI) makes this a difficult task — an understatement — to be sure.
Nonetheless, I agree with Richard Santalesa, senior counsel at InfoLawGroup LLP: “Resist the urge to ‘skimp’ on security in 2013, thinking ‘we already do enough.’ With fines, penalties and enforcement actions increasing, capable data security personnel, demonstrably solid systems and regular risk reviews should be kept far from the chopping block even in increasingly challenging fiscal environments.”
Data breaches don’t have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. With that in mind, a handful of colleagues and I assembled a list of 11 recommendations for a healthier organization in 2013 — and beyond:
1. Establish mobile device and Bring Your Own Device (BYOD) policies that include technical controls and employee and management procedures. I started off with mobile devices for a reason. According to the Ponemon study, 81percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email. This means PHI can travel on unsecured devices in the pockets or purses of well-meaning healthcare employees — devices that are subject to theft or loss.
The Ponemon report listed actions some healthcare organizations are taking to secure mobile devices: limiting access from devices to critical systems, including those that connect to PHI, and requiring users to read and sign an acceptable use policy prior to connecting to these systems. Even the Department of Health and Human Services has issued strategies for managing the use of mobile devices in a healthcare environment.
2. Control the cloud or it’ll control you. Make it a point to fully understand what cloud service-level agreements mean in practice and then push for meaningful information on failover and disaster recovery practices used. – Richard Santalesa, senior counsel, InfoLawGroup LLP
3. Have a current breach response plan that is ready and tested. This will help pave the way for a well-executed response that can mitigate the financial, legal and reputational harm caused by a security incident involving patient information. – Marcy Wilder, partner and director of global privacy and information management practice, Hogan Lovellis
Read the following 8 tips here:
This is a very worthwhile list and needs to be browsed by those interested in the area!
David.

2 comments:

Paul Fitzgerald said...

This is very timely with the recent hijacking of medical clinic data, the new Privacy Legislation and the proposed mandatory breach notification legislation. As I have said in some other fora, I don't believe that the health industry in Australia realises that they have a problem coming. When the Privacy Commissioner hangs someone out to dry for a serious data breach, it will a mad dash to "fix" the problem. Vendors and providers are all in the same boat. Those who perform a security audit, get some cyber insurance and begin realising that secure messaging is not the answer,in the short time are those who will be sleeping easily at night.

Anonymous said...

Paul you are correct that there is a problem in the health market that not many GP's are aware of or any of the people that provide them with IT services either.

Data breaches will be the news in 2013, although the significant penalties do not hit until 2014, GP's and others associated with the provision of health services, need to be aware that they are not immuned from class actions either in the event of a significant breach. The remediation costs can be significant.

I have heard on the grape vine that a total Cyber Security product including insurance will be available in mid to late March that will give GP's peace of mind in regards to dealing with and handling a data breach event.

Privacy Paul