Privacy & Security

When a cyber attack hits: Who's in charge?

It takes a combination of specialties to handle a data security incident in a way that fully protects the organization
By Rick Kam
July 30, 2015
09:26 AM

The dangers of data breach make for great headlines: data held for ransom, financial fraud, and medical identity theft, to name a few. But despite the many risks of data breach, from a business standpoint, the most immediate threat in most security incidents is failure to comply with regulatory requirements. The vast majority of security incidents don't turn into data breaches, and not all breaches result in theft or other damages. But failure to report or meet other regulatory requirements can result in stiff penalties regardless. Therefore, incident response processes should be organized not only to address data security but also how best to determine whether an incident is a notifiable breach.

It takes a combination of specialties to handle a data security incident in a way that fully protects the organization. Assessing whether a data breach has occurred or not requires both data security and compliance expertise. Unfortunately, in most businesses, the information security, privacy, compliance and other organizations don't work together fluidly to respond to an incident, leaving the organization vulnerable on the compliance front. A highly effective organization will define parallel paths for incident response very early in the discovery process. This not only enables accurate assessment of the incident from both the information security, compliance, and risk standpoints, it also positions each functional team to provide effective response and risk management throughout the entire lifecycle of the incident, whether or not it is determined to be a breach.

There are some immediate actions that privacy and IT/information security can take together to close the compliance gap. Since the IT/information security team is, by definition, the first responder to a data security event, the first step is to change their policies and operating procedures so that every incident is assessed not only from the security side but also from the compliance viewpoint. There should be:

  • A policy to notify the privacy/compliance team as soon as an event is suspected to be an incident, so they can begin a parallel evaluation into the pertinent compliance requirements.
  • A procedure for promptly and visibly notifying the compliance team and other potential stakeholders. (There must be no risk of a notification getting lost in someone's email inbox).
  • A vehicle for documenting and handing off all of the information needed for the compliance evaluation: What data was touched, how much, whose, etc.? (This will also save time in the compliance process if notification turns out to be necessary.)

Catamaran, a company that provides pharmacy benefits management services to healthcare organizations, functions as both a HIPAA covered entity and as a business associate. When Catamaran implemented incident management software and trained its staff in risk-based incident response, the number of reported incidents went up because the software automates the process of evaluating incidents against the whole matrix of current state and federal regulations. Catamaran discusses its approach in a recent webinar, Bringing Incident Response & Breach Management Out of the Dark Ages.

The focus on thriller-worthy cyber-security threats can distract from the day-to-day, yet critical needs of compliance and risk management. It can also divert funding and organizational clout from foundational privacy and security hygiene, and many organizations are beginning to integrate privacy/compliance and information security to ensure better collaboration and a focus on more than just technology. Security blogger Matt Kelly recently compared this more integrated approach to preparing for a heart attack: "You can go through life equipped with tools to reduce that risk, such as a defibrillator, and it will indeed help when the time comes. Or you can improve your process of being healthy: eating right and exercising. Neither one of those procedures will assure that you never have a heart attack--but they will help you immensely in staying alive should a heart attack come to pass."

Rick Kam is a founder and president of ID Experts; Mahmood Sher-Jan is executive vice president and general manager of ID Experts' RADAR business unit.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Rebecca Herold from the IEEE on AI and cybersecurity
Cybersecurity In Focus
IEEE deep dive: What you really need to know about AI and cybersecurity

Most Read

Carequality to align interoperability strategy with TEFCA
NASA, ISS National Lab announces solicitation for space health technology
Massachusetts seizes control of Steward hospital while buyers found for 4 others
Finding efficiencies and improving care: Give your healthcare surveillance a clean bill of health
Northwestern Medicine integrates DAX Copilot with Epic, seeking workflow efficiencies
Keep patients digitally empowered and engaged in their care

Research

White Papers

More Whitepapers

Interoperability
Patient Engagement
Interoperability

Webinars

More Webinars

Interoperability
Artificial Intelligence
Artificial Intelligence

More Stories

Hospital administrators in an office meeting
Te Whatu Ora may further cut digital funding
Krishna Duarsa at the Kasih Ibu Hospital Group_HIMSS24 APAC
Bali hospital takes on EMR maturity
Couple holding baby
Owlet wins back compliance with NYSE continued listing standards
David P. Tusa of MD Home Health on RPM
Arizona agency's omnichannel approach to home health includes telehealth and RPM
Hands holding puzzle pieces
AHA concerned over HTI-2 timelines, 'burdensome' requirements
Stethoscope on tablet
HIMSSCast: Is private equity the bad guy in healthcare?
Zafar Chaudry at Seattle Children_Data blocks concept Photo by BlackJack3D1/E+/Getty Images
CIO Spotlight: Zafar Chaudry of Seattle Children's
Monief Eid, senior consultant for the Ministry of Health Saudi Arabia, at HIMSS24 APAC
Building 'solid' medical data exchange...