The Security Scrutinizer with Howard Anderson

Use Breach List to Win Security Funds

Use Breach List to Win Security Funds

If you're looking for a way to persuade your CEO and board of directors to provide increased funding for information security, show them the list of major healthcare information breaches reported to federal regulators.

The official breach tally, compiled by the Department of Health and Human Services' Office for Civil Rights, shows more than 100 incidents have been reported dating back to September, when the HITECH Act's breach notification rule took effect. And the breaches have occurred at organizations ranging from clinics with one physician to large insurance firms. So no one is immune.

Whether you work at a hospital, a clinic or an insurance company, you cannot afford the bad publicity and high expense involved in reporting a breach.

Clearly, conducting a thorough risk assessment to identify areas of vulnerability that need to be addressed is a critical step.

But the breach list highlights, in particular, the need for securing mobile devices and media.

A majority of the incidents reported so far involve the theft or loss of unencrypted computer devices, such as laptops, USB flash drives, CDs or hard drives.

To help protect mobile devices and media, Terrell Herzig, information security officer at UAB Medicine, Birmingham, Ala, offers a list of 10 action items that goes far beyond the use of encryption, including such steps as developing a comprehensive set of policies and providing extensive staff education.

Tom Walsh, president of Tom Walsh Consulting, Overland Park, Kan., is hopeful the publicity surrounding the federal list will lead to a decline in breaches over time.

"When you explain to an executive you can encrypt a laptop for $55 or less, get a 4G encrypted USB for $75, and then measure these preventive costs against the cost of breach notification and remediation, the light bulb goes off," he says.

Dealing with even a relatively small breach involves such costs as mailing letters to patients affected, setting up toll-free phone numbers for information, and, in many cases, providing expensive credit protection.

But if the breach is a large one, like the case of BlueCross BlueShield of Tennessee, the costs can be enormous. The health insurer estimates it will spend more than $7 million dealing with its breach, which affected nearly 1 million individuals. The insurer hired a firm to conduct extensive forensics work to pinpoint the data involved. And in the wake of the incident, it's taking many new steps, including appointing a chief security officer and expanding its use of encryption.

So when your CEO or board asks for evidence of a return on an information security investment, show them the federal breach list and news accounts about organizations dealing with the aftermath of security incidents.

That should get their attention.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.