Breach Prevention: Setting Priorities

Two Experts Offer Practical Advice
Breach Prevention: Setting Priorities

Failure to follow basic information security practices is a big reason behind many healthcare breaches, says security specialist Mac McMillan.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

"This is about people not paying attention to assets, not encrypting things where they should, not providing adequate physical protection," says McMillan, CEO of the consulting firm CynergisTek. He made a presentation with Adam Greene, partner at the law firm Davis Wright Tremaine LLP, at the Healthcare Information and Management Systems Society Conference in Las Vegas.

The top lessons from major healthcare information breaches, according to McMillan and Greene, are:

  • Be less concerned with hackers, and more concerned with employees. "Over half of the large breaches have been due to a single cause - theft," Greene says.
  • Don't forget to protect paper records. Too often, boxes of medical records are improperly disposed of, Greene says.
  • Closely monitor business associates. With about 22 percent of breaches, including many of the largest incidents, caused by business associates, Greene says organizations need to go beyond spelling out expectations in business associate agreements to carefully review and continually monitor business associates' security practices. Organizations need to start with both a legal and security review during the vendor selection process. "If you're going to share PHI with a vendor, doesn't it make sense that they should be able to demonstrate they have a security program before you even select them for consideration?" McMillan asks.
  • Be aware of costly sanctions. Massachusetts General Hospital paid $1 million to settle a case involving paper records left on a subway that led to a violation of the HIPAA privacy rule. "If you take the government at its word, it wasn't just a breach, it was an accident waiting to happen," Greene says, referring to the case.
  • Conduct a thorough risk assessment. Identify all points of risk within the organization and decide where improvements need to be made, McMillan says.
  • Adopt an industry-recognized information security model for measurement of a security program. These include the Health Information Trust Alliance's Common Security Framework and the National Institute of Standards and Technology's risk assessment model, McMillan points out.
  • Devote adequate resources to information security technology and training. Healthcare spends about half of what other industries devote to information security, McMillan contends.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.