04-22-13 | Blog Post
Online Tech is exhibiting HIPAA hosting solutions at booth #919 at the Health Care Compliance Association (HCCA)’s 17th Annual Compliance Institute Conference April 21-24 in National Harbor, MD. The conference draws in healthcare compliance professionals, risk managers, privacy officers, healthcare CFOs and CEOs, and more.
The Defining Moments of a Data Breach
Speakers: John Ford, Principal, Sienna Group LLC
Kurt Long, CEO, Founder, FairWarning Inc.
Kurt and John have teamed up several times to give this presentation and the following presentation was a dialogue between both Kurt and John on dealing with healthcare data breaches.
Kurt – Data breaches with a healthcare organization take on many forms. Research shows that most organizations are not well prepared to detect and combat data breaches.
John – Fraud is a huge issue. In many of the fraud scenarios, it pertains mainly to patient data. Healthcare fraud in the U.S. costs the industry $80 billion to $225 per year. The key to lowering the number is to catch the criminal behavior at the point of origin.
Kurt – Organization today are dealing with much more heightened issues pertaining to a data breach. There are several types of “follow-up” crimes that can come out of a data breach of patient information. Kurt highlighted the following:
Organized criminals have noticed that health care providers have incredibly critical information pertaining to an individuals’ financial information and their systems often have major privacy and security vulnerabilities.
John – Most people are not prepared for data breach that occurs through organized crime. Those types of organizations typically receive a call from law enforcement (considered an external notification) and in those cases, everything comes to a grinding halt for about 48 hours while executive and operational teams are deployed to investigate the source of the breach.
The general theme at that point in time is to develop a breach response plan. Most people do not have an adequate plan that they test prior to any sort of breach and are scrambling to put one in place.
Organizations need to have a plan already in place because time is not your organization’s time in a situation that big. Upon notification of the breach, the organization will be pressed for an explanation from everyone; from the media to patients and providers.
John listed the key issues to address at that time of a breach:
Having a well-crafted plan in place for a data breach will be imperative for your organization. The plan must include a method for active user activity monitoring and thorough log correlation and analysis.
Kurt – By using constructive knowledge leading up to a data breach and proactively taking the correct steps trying to implement the correct processes, you may be immune to civil penalties.
John – Modern strategies out there to impede fraud and future strategies will strive to stop the fraud at the point of origin.
Encryption and authentication are not going to help after a breach. The organization has to go out and find the answers and track down the user logs, essentially shutting the businesses down for 105 days while they try to figure out where the breach came from.
Take-away points from the presentation: