How to survive (if not prevent) a breach
September 25, 2013 in Medical Technology
Security breaches are no fun. Your organization’s name is splashed all over the news. Your reputation takes a hit. Your patients’ trust is eroded. And the prospect of a hefty monetary settlement is something few want to think about. But it’s not the end of the world.
At the HIMSS Media/Healthcare IT News Privacy Security Forum in Boston on Tuesday, a hospital CIO, a compliance expert and a law enforcement official offered a primer for preparing for and, hopefully, preventing a security breach. They also offered some tips for making the most of the situation should the unwelcome event occur.
In a session titled, “Preparing Now for How to Respond to the Security Breach You Hope Never Happens,” Forest Blanton, senior vice president and CIO at Hollywood, Fla.-based Memorial Healthcare System; Nicole Keefe, director of IT at Santa Barbara, Calif.-based compliance consultants Novacoast; and Steve Morreale, chair of the criminal justice department at Worcester (Mass.) State University – and a former special agent at U.S. Department of Health and Human Services’ Office for Civil Rights – had some advice for healthcare organizations: prepare, and don’t panic.
The great danger of a security breach, of course, lies in the “the unknown unknown,” as panel moderator Jon Hale, vice president of security practice at Attachmate, put it.
That’s why it’s of utmost importance to familiarize yourself with HIPAA and subject your organization to a rigorous risk assessment. That includes getting definitive answers to two questions, said Keefe: “Where does the data lie, and who’s touching the data?”
And the key to an effective assessment is to always be assessing, she said: “We see a lot of people scrambling around to make risk assessments at the time they need to be compliant – then it falls by the wayside, it’s not an ongoing process.”
With employees handling data every day, we can’t simply “look at an assessment just like a checklist,” said Blanton – a once-and-done review to make sure that technology systems are sound and compliant.
Indeed, the most damaging security problems are often “low-tech,” he said, and can happen on any given day – employees stealing copies of face sheets, for example, or taking pictures with camera phones.
Health organizations “need to be concerned about identifying problems beforehand” and then being constantly vigilant about new ones that might crop up, said Morreale. “Know what you don’t know.”
It’s crucial, he said, to recognize “what you have that other people might find useful.” Social security numbers and addresses, especially those of elderly patients, are like catnip to malefactors.