Breach Resolution: 8 Lessons Learned
CEO Offers Insights to CISOs Based on Experience
Tripathi spelled out in a recent blog the details of the organization's breach, a non-profit consultancy, which involved the theft of an unencrypted laptop from an employee's car, The breach, which affected about 1,000 patients of the collaborative's physician group practice clients, cost almost $300,000 to resolve.
In an in-depth interview, Tripathi outlines important lessons learned that apply to IT security leaders, healthcare organizations and their business associates. Among them are:
- Take responsibility for your actions as an organization and as a leadership team. The laptop incident "was a mistake by a person who violated company policy," he notes. "But on the other hand, they probably didn't have enough education and training and they probably didn't have enough tools to do their job securely." As a result, the company and its CEO took responsibility "for not providing leadership and not providing policies and tools to those on the front lines who were just trying to do their jobs and do the right thing."
- If you experience a breach, "treat it as your most high-priority project." Tripathi held daily meetings with a crisis team to coordinate breach resolution efforts.
- Do not underestimate how difficult it is to respond to and remediate a breach.
- Assume all portable devices contain sensitive information and take action to protect it, including the use of encryption.
In the wake of the breach, Massachusetts eHealth Collaborative broadened its use of encryption and trained all staff on how to use the technology. It now uses whole disk encryption of laptops, file-level encryption for passing files to and from its clients, and secure e-mail.
Tripathi is president and CEO of the collaborative, which is supported by 34 non-profit healthcare organizations in Massachusetts. The organization specializes in advising physician group practices and others about the implementation of electronic health records. Tripathi also chairs the Health Information Exchange Workgroup of the federal Health IT Policy Committee, which makes recommendations about health information exchange to the Office of the National Coordinator for Health Information Technology in the U.S. Department of Health and Human Services. Before joining the collaborative, Tripathi was a manager at the Boston Consulting Group and served as founding president and CEO of the Indiana Health Information Exchange. He has a Ph.D. in political science from Massachusetts Institute of Technology.