TRENDING:

Breach Prevention: Setting Priorities

Two Experts Offer Practical Advice Jeffrey Roman (gen_sec) • February 29, 2012    
Breach Prevention: Setting Priorities

Failure to follow basic information security practices is a big reason behind many healthcare breaches, says security specialist Mac McMillan.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

"This is about people not paying attention to assets, not encrypting things where they should, not providing adequate physical protection," says McMillan, CEO of the consulting firm CynergisTek. He made a presentation with Adam Greene, partner at the law firm Davis Wright Tremaine LLP, at the Healthcare Information and Management Systems Society Conference in Las Vegas.

The top lessons from major healthcare information breaches, according to McMillan and Greene, are:

  • Be less concerned with hackers, and more concerned with employees. "Over half of the large breaches have been due to a single cause - theft," Greene says.
  • Don't forget to protect paper records. Too often, boxes of medical records are improperly disposed of, Greene says.
  • Closely monitor business associates. With about 22 percent of breaches, including many of the largest incidents, caused by business associates, Greene says organizations need to go beyond spelling out expectations in business associate agreements to carefully review and continually monitor business associates' security practices. Organizations need to start with both a legal and security review during the vendor selection process. "If you're going to share PHI with a vendor, doesn't it make sense that they should be able to demonstrate they have a security program before you even select them for consideration?" McMillan asks.
  • Be aware of costly sanctions. Massachusetts General Hospital paid $1 million to settle a case involving paper records left on a subway that led to a violation of the HIPAA privacy rule. "If you take the government at its word, it wasn't just a breach, it was an accident waiting to happen," Greene says, referring to the case.
  • Conduct a thorough risk assessment. Identify all points of risk within the organization and decide where improvements need to be made, McMillan says.
  • Adopt an industry-recognized information security model for measurement of a security program. These include the Health Information Trust Alliance's Common Security Framework and the National Institute of Standards and Technology's risk assessment model, McMillan points out.
  • Devote adequate resources to information security technology and training. Healthcare spends about half of what other industries devote to information security, McMillan contends.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

Previous
Can DMARC Hook Online Phishers?
Next
Netgear Updates Security Line

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.



Around the Network

Are We Facing a Massive Cybersecurity Threat?
Are We Facing a Massive Cybersecurity Threat?
Why Legacy Medical Systems Are a Growing Concern
Why Legacy Medical Systems Are a Growing Concern
How to Simplify Data Protection within your Organization
How to Simplify Data Protection within your Organization
Top Privacy Considerations for Website Tracking Tools
Top Privacy Considerations for Website Tracking Tools
HHS OCR Leader: Agency Is Cracking Down on Website Trackers
HHS OCR Leader: Agency Is Cracking Down on Website Trackers
Integrating Generative AI Into the Threat Detection Process
Integrating Generative AI Into the Threat Detection Process
Closing Privacy 'Loopholes' in Reproductive Healthcare Data
Closing Privacy 'Loopholes' in Reproductive Healthcare Data
CyberArk CEO Touts New Browser That Secures Privileged Users
CyberArk CEO Touts New Browser That Secures Privileged Users
What's Inside Washington State's New My Health My Data Act
What's Inside Washington State's New My Health My Data Act
Checking Out Security Before Using AI Tools in Healthcare
Checking Out Security Before Using AI Tools in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.