Bracing Health IT Clients For International Data Breaches
By Megan Williams, contributing writer
In the wake of the Community Health Systems breach, it’s almost easy to forget the Heartbleed shockwave from earlier this year. The industry is left with many questions, all of them complicated by the international component brought to light by our latest, mass security violation.
Is The Industry Underprepared?
According to an article at CIO, Daniel Nutkis, CEO of the Health Information Trust Alliance, the industry should stay the course, and continue with our current IT security standards. “Nothing observed would suggest existing defenses, countermeasures or compensating controls are not sufficient. This is not something that's new,” Nutkis is quoted as saying.
At the same time, the FBI has warned that, in general, the healthcare industry is under threat from “malicious actors,” and, according to Health IT Outcomes, healthcare IT security systems typically are not as strong as other industries.
Is The Cloud Hurting?
Cloud computing is becoming much more common in healthcare, and with all the benefits that it does bring, there are also, of course, risks. Security Info Watch, in a conversation with Experian Data Breach Resolution VP, Michael Bruemmer, noted that because of the expansive nature of Big Data and the cloud, that there would not only be general increased potential for breaches, but that healthcare in particular is at risk.
What Does Preparation Look Like?
While healthcare has been, and likely will continue to be, somewhat slow in the reaction to international breaches, Experian provides useful advice around international data breaches that are applicable to the healthcare industry.
- Create An International Breach Response Plan. An updated plan can save a business 25 percent per record (according to the Ponemon Institute), which, even with the cost of breaches dropping, can amount to a savings of $1.2 million per breach. The plan should include an internal response team, external consultant and steps that need to be taken to investigate, mitigate, and respond to a breach.
- Get The CEO On Board. Incident response plans are driven by their implementation teams. The team should be made up of a lead, senior management, compliance, privacy, IT security, legal counsel, risk management, PR, HR, and customer service or patient relations. Even with all that involvement, nothing gets done without the endorsement and support of the CEO.
- Practice Makes Perfect. A response plan must be practiced. A response team may also need updating as people cycle through the organization. Plans should keep an updated list of external partners as well.
- Walk In Your Customers’ (Patients’) Shoes. It’s their information that’s at risk, so their experience should be at the center of all breach preparation. Consider how they feel and what you will need to do to rebuild their trust after a breach. Small things like providing an identity protection product with credit monitoring can help ease their fears (especially important in healthcare where patients may withhold information from EHRs for fear of it being stolen). Be honest in your notification letters, emails, and website and call center messages.
To read more on network security for hospitals, see, “6 Critical Pressure Points Of Healthcare Network Security.”