The Security Scrutinizer with Howard Anderson

Breach Resolution: Are You Ready?

Huge Incidents Put Spotlight on Prevention, Notification

And the results of our Healthcare Information Security Today survey confirm that many organizations still have plenty of breach prevention work to do. (Full results will be available in the coming days).

A breach affecting an estimated 4.9 million beneficiaries in the TRICARE military health program appears to be the largest reported so far under the HIPAA breach notification rule, in terms of individuals affected. In the TRICARE incident, backup tapes were stolen from the parked car of an employee of a business associate, Science Applications International Corp.

Our survey finds that only about half of organizations have a plan in place to comply with the HIPAA breach notification rule. 

In another recent incident, Nemours children's health system reported 1.6 million individuals were affected when a locked cabinet containing three backup tapes was discovered to be missing from a facility.

Countering Security Threats

Our survey shows that 43 percent of healthcare organizations grade their ability to counter internal or external information security threats as poor, failing or in need of improvement. Further, the survey finds that only about half of organizations have a plan in place to comply with the HIPAA interim final breach notification rule, which has been in effect since September 2009.

The two huge recent breach incidents point to the value of encrypting backup tapes and other portable media to prevent breaches. Under the HIPAA breach notification rule, breaches involving properly encrypted data don't have to be reported.

The incidents also point to the need to have a detailed breach resolution plan in place, including a strategy for investigating a breach; promptly notifying all those affected, as well as federal authorities; and determining whether to offer victims such services as free credit monitoring. Otherwise, responding to a breach could be even more headache-inducing - and more costly.

TRICARE now faces a $4.9 billion class action lawsuit as a result of the breach incident. Meanwhile, the federal breach tally keeps growing; soon it could include breaches affecting a total of more than 18.5 million individuals.

So if you're having trouble winning financial support for your breach prevention efforts, show your CEO and board members the headlines about the latest mega-breaches. Point out the ongoing federal breach tally ... and then ask them if they want to avoid being the next organization on the "wall of shame."

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.