The Security Scrutinizer


Keeping an eye on efforts to protect the privacy and security of personal healthcare information

Breach Case Study Offers Helpful Tips Real-World Experiences Highlight Prevention Needs

Micky Tripathi is providing a great service to the healthcare industry by sharing all the blow-by-blow details of his organization's experience with a relatively small breach. His breach resolution tale of woe, including documentation of nearly $300,000 in expenses, is powerful testimony to the need for stepped-up breach prevention.

In an interview, Tripathi, CEO of the Massachusetts eHealth Collaborative, outlines eight important lessons learned in the aftermath of a breach stemming from the theft of an unencrypted laptop (see: Breach Resolution: 8 Lessons Learned). Of course, he's a strong advocate for making sure that an encryption policy is carried out and staff members receive adequate security training.

If more business associates and covered entities that have experienced breaches shared the lessons they've learned, I believe we'd see a decline in breaches. 

But his experience shines a spotlight on a very important message: Do not underestimate how difficult it is to respond to and remediate a breach.

In a lengthy recent blog, Tripathi outlines every component of his breach resolution experience, including the difficulty in determining just how to comply with state and federal regulations.

Taking Responsibility

In our interview, he also is refreshingly frank about the need to take responsibility for actions as an organization and as a leadership team.

The laptop incident "was a mistake by a person who violated company policy," he notes. "But on the other hand, they probably didn't have enough education and training, and they probably didn't have enough tools to do their job securely."

That self-assessment led Massachusetts eHealth Collaborative to take a fresh approach to security. And that's an example that others should follow.

Tripathi deserves credit for being so open about his post-breach experience. Listening to the interview, and reading his blog, will be an eye-opening experience for many.

We all know that breach resolution is difficult and costly. But Tripathi's tale spells out just how challenging it is to deal with the aftermath of a breach.

If more business associates and covered entities that have experienced breaches shared the lessons they've learned, I believe we'd see a decline in breaches. Thank you, Micky Tripathi, for sharing your story.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network