Micky Tripathi is providing a great service to the healthcare industry by sharing all the blow-by-blow details of his organization's experience with a relatively small breach. His breach resolution tale of woe, including documentation of nearly $300,000 in expenses, is powerful testimony to the need for stepped-up breach prevention.
See Also: Data Center Security Study - The Results
In an interview, Tripathi, CEO of the Massachusetts eHealth Collaborative, outlines eight important lessons learned in the aftermath of a breach stemming from the theft of an unencrypted laptop (see: Breach Resolution: 8 Lessons Learned). Of course, he's a strong advocate for making sure that an encryption policy is carried out and staff members receive adequate security training.
If more business associates and covered entities that have experienced breaches shared the lessons they've learned, I believe we'd see a decline in breaches.
But his experience shines a spotlight on a very important message: Do not underestimate how difficult it is to respond to and remediate a breach.
In a lengthy recent blog, Tripathi outlines every component of his breach resolution experience, including the difficulty in determining just how to comply with state and federal regulations.
In our interview, he also is refreshingly frank about the need to take responsibility for actions as an organization and as a leadership team.
The laptop incident "was a mistake by a person who violated company policy," he notes. "But on the other hand, they probably didn't have enough education and training, and they probably didn't have enough tools to do their job securely."
That self-assessment led Massachusetts eHealth Collaborative to take a fresh approach to security. And that's an example that others should follow.
Tripathi deserves credit for being so open about his post-breach experience. Listening to the interview, and reading his blog, will be an eye-opening experience for many.
We all know that breach resolution is difficult and costly. But Tripathi's tale spells out just how challenging it is to deal with the aftermath of a breach.
If more business associates and covered entities that have experienced breaches shared the lessons they've learned, I believe we'd see a decline in breaches. Thank you, Micky Tripathi, for sharing your story.