Breach Prevention: Year-End InsightsThe Important Role of Continuous Improvement of Security
We want to prevent health data breaches for all the obvious reasons - avoiding pain for the organization, ourselves and our patients or health plan members. In addition to the higher federal fines now in place for violating HIPAA, states increasingly are mandating security protections or, at least, expensive consequences for inadequate controls. Other nations also are adopting new breach-related regulations
On top of monetary fines stemming from a breach, the hours spent investigating, deliberating, notifying and implementing new controls take away from other work.
Security professionals preach about the need for policies. While that's valid, policies are only the starting point.
And then there are the victims. Regardless of whether they suffer personal consequences from a breach, they may not think as highly of your organization after a security incident - and you could lose some customers.
One key way to reduce the risk of a breach is continuous improvement of information security programs. It's dangerous to put security controls in place and then walk away, thinking you're finished. The security risk environment is always shifting, and our work is never done.
For free, high-quality security advice that covers all the bases - from non-technical user awareness and training to very technical topics, such as encryption - NIST's Computer Security Resource Center is one of my favorite resources.
Under the topic of Security Management & Assurance, NIST offers Program Review for Information Security Management Assistance or PRISMA. With continuous improvement of our security programs, we aim to achieve maturity. Here's how the site introduces PRISMA:
"PRISMA provides an independent review of the maturity of an agency's information security program. The review is based upon a combination of proven techniques and best practices and results in an action plan that provides a federal agency with a business case-based roadmap to cost-effectively enhance the protection of their information system assets."
Although mainly written for federal agencies required by law to implement security programs, the PRISMA site provides great advice and guidance for all organizations seeking to move their programs forward. PRISMA presents one way to view security program maturity levels.
The message here is that your organization needs a real (i.e., comprehensive, documented, verifiable and effective) information security program to ward off security incidents and breaches, and such a program doesn't happen just by chance or through occasional effort.
Going Beyond Policies
Security professionals preach about the need for policies. While that's valid, policies are only the starting point, setting the tone and direction for your security program. Without appropriate technology, procedures and workforce training to implement them, policies aren't worth much. After all, we're trusting that people will understand what we mean and know how to comply - and have the will to do it. That's simply not realistic.
One problem that continues to plague healthcare is the failure to encrypt laptops and other portable devices and media.
Many healthcare organizations and their business associates routinely encrypt laptops, and many are extending routine encryption to USB drives and other personally owned media. Unfortunately, some organizations still only have a policy stating that laptops must be encrypted or that no confidential data should be stored on a laptop, but they fail to actually implement those policies.
In that case, the organization's security program is deficient, and users may not be entirely to blame when things go wrong. And eventually, regulators are going to get tired of seeing these same kinds of breaches again and again and crack down.
The other distressingly common problem is woefully inadequate workforce training and awareness. In too many cases, security training falls short of reasonable practices in terms of frequency and content. And in some cases, it misses parts of the workforce or is less robust for some groups.
There are a multitude of security topics to convey to your workforce, and routine, frequent security reminders help teach and reinforce key points. The silver lining in all the healthcare security breaches is that they provide good opportunities to discuss what went wrong and how to prevent a similar breach in your organization.
That's a good lesson for all of us in security. Keep an eye on security news, trends and breaches. Learn from others' mistakes and be prepared.
Borten is president and founder of security and privacy consulting firm, The Marblehead Group. Before launching the firm in 1999, she led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its chief information security officer.