Transcript of "Preventing a Healthcare Data Breach Epidemic"
Preventing a Healthcare Data Breach EpidemicCertain types of computer dysfunction are analogous to disease, at least in a descriptive sense. For example, we say thata PC can get “infected” by a computer “virus.” The recent rash of hacker attacks makes me wonder if we’re on the vergeof a data breach “epidemic?”True epidemics occur when new human cases of a certain disease substantially exceed what is expected over a period oftime. Epidemic diseases need not be communicable; they occur when there are an accelerating number of exploits ofsimilar weaknesses in the human immune system. (Note the clever use of the analogy in reverse). It’s not much of astretch then to apply the concept of an epidemic affecting the human body to one that cripples IT infrastructures.Perhaps recent events even warrant the use of pandemic. There have been over 11 million personal health recordscompromised in major data breaches in the U.S. since September 2008. Last week, 8.6 million health records werereported at risk due to an unencrypted missing laptop in London. Add recent hacker intrusions at Epsilon, Sony, the IMF,Citibank, Sega etc. and reported incidents are clearly accelerating at a staggering rate.This must be disturbing news for a healthcare industry moving forward aggressively on the implementation and adoptionof electronic health records. But consider this instead a call-to-action. Providers and business associates should seize thismoment to take preventative measures. Hospitals and providers can leverage the mandatory security requirements of the“meaningful use” EHR incentive program to build organization-wide consensus and gain budget approval to invest now intheir IT security future.To qualify for incentive payments under meaningful use, covered entities and eligible providers must “conduct or review asecurity risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates asnecessary and correct identified security deficiencies as part of its risk management process.” What an opportune time torevisit and revamp the outmoded, insufficient, neglected and/or minimal security risk programs that were likely put inplace years ago.For forward-thinking business associates, this is an opportunity too. Direct liability for ePHI data breach won’t transfer tobusiness associates until sometime in 2012, but there’s no time like the present. In IT security, preventative actiontrumps reaction and damage control. Just ask Sony. And, as a “culture of security” grows among healthcare providers,business associates will find that data security becomes not only a requirement of doing business with health providersbut also competitive differentiators.So how do we all work together to prevent a data breach epidemic? In the 1995 movie “Outbreak” one proposed solutionwas to drop a fuel-bomb on a city where the virus had been contained. But data breaches are rarely containable andeven if they were, I doubt there would be many fuel-bombs dropped anywhere but in the computer war game Call ofDuty.Our “call of duty” to prevent data breach outbreaks or epidemics is to first understand that security is an end-to-endprocess. In this new environment where networks, and networks of networks, will be able to provide an access path tothe most sensitive personal information, there is no such thing as containment. To quote John Halamka, MD, MS, and CIOat Beth Israel Deaconess Medical Center) “the healthcare system is as vulnerable as its weakest link. Thus eachapplication, workstation, network and server within the enterprise must be secured to a reasonable extent.” That is yourmission. And Redspin’s job is to help you achieve it. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM