Posted 4.23.13
by wpadmin
Blog

2013 HCCA: Latest Trends in Data Breach Threats

Online Tech is exhibiting HIPAA hosting solutions at booth #919 at the Health Care Compliance Association (HCCA)’s 17th Annual Compliance Institute Conference April 21-24 in National Harbor, MD. The conference draws in healthcare compliance professionals, risk managers, privacy officers, healthcare CFOs and CEOs, and more.

Advanced Discussion Group: The Latest Trends in Data Breach Threats
Speaker: Ted Kobus, Co-Leader, Privacy and Data Protection, BakerHostetler

Ted directed an open roundtable discussion among twenty or so audience members who worked within either a compliance, government or consultant role surrounding data breaches.

Those that worked on the compliance side of a data breach were asked to share what their role entailed after a breach occurred and how they move forward providing information to appropriate parties in the wake of a breach. All were in agreement that their position required heavy lifting on the side of analysis in order to determine:

  • What sort of data had been breached
  • How much data had been breached
  • What sorts of organizations needed to be involved in the aftermath of the breach
  • What portion of the general public was affected by the breach
  • Which stakeholders needed to be involved in the decision making process to move forward

There was some volleying back and for the between the audience on whether or not it is better to push a notification through when there had been a breach before sufficient facts and evidence had been collected, and then back track if the breach was not as big as initially anticipated. Or whether it was better to gather as much information as possible and answer the items bulleted above before making any sort of public facing announcement.

The discussion went on to include the focus of CEOs versus Compliance Officers in the wake of the breach. For most CEOs of an organization, reputation, operations and financials are going to be their primary point of focus in the wake of a breach, but will take a backseat during the initial breach investigation.

Questions circled back around to whether or not is right or wrong to push out notification of the breach, before all of the information is collected. After a bit of deliberation on the key questions to ask, most audience members agreed that the following questions should be answered before any type of notification is pushed out the door.

  • How did the breach happen?
  • What is the organization going to put in place so that it does not happen again?
  • What data was breached and how much?
  • Was it encrypted?
  • Who from the general public are you going to be hearing from?

With the answer to those questions in place, the notification and communication that ensues between the organization, affected public and media will be much smoother to deal with from the PR side of the situation.

Ted noted that the two biggest aspects of the Final Rule to make note of for every organization was compliance and documentation.

Key discussion takeaway?

Your organization must make developing a culture of compliance its first priority. It will make life easier on everyone in the organization in the event of a breach investigation.

Related Articles:
2013 HCCA: The Defining Moments of a Data Breach
HHS Wall of Shame: Forty Percent of 2013 HIPAA Breaches Involved Business Associates
Healthcare Industry Loses $7 Billion Due to HIPAA Data Breaches

  • This field is for validation purposes and should be left unchanged.