HITECH: 5 Critical Security IssuesInterview with Brian Lapidus, COO of Fraud Solutions at Kroll
Kroll, a risk management company, advises these organizations to pay attention to five critical security issues. In this exclusive interview, Brian Lapidus, COO of Kroll's fraud solutions division, discusses these five issues, emphasizing:
- Questions to ask business associates;
- How to deploy encryption;
- The criticality of having and testing a breach reporting plan.
Lapidus has unique frontline experience helping a wide variety of corporations and organizations safeguard against and respond to data breaches. With an extensive background in organizational development, today he sets direction for the company's continued success in identity theft discovery, investigation and restoration. Lapidus is particularly knowledgeable about the many security gaps - physical, procedural and electronic - common to many U.S. companies and organizations, as well as the criminal landscape where stolen identities are bought, sold and used. He oversees a highly-skilled team that includes veteran licensed investigators who specialize in supporting breach victims and restoring individuals' identities to pre-theft status.
He also is working with consumer organizations to help ensure responsible practices among businesses that provide identity theft-related services. Lapidus has a bachelor's degree from Washington University with concentration in psychology and business and an MBA from Vanderbilt with concentration in strategy and general management.
TOM FIELD: Just to get us started Brian, why don't you tell us a little bit about yourself, about Kroll, and your roll with the company?
BRIAN LAPIDUS: Great, thanks, Tom. I have the privilege and honor of leading our fraud solutions practice. We help organizations who are suffering from data breaches or lost data. We also work with consumers through third-party partners as it relates to helping those individual consumers handle the perils and challenges from identity theft.
FIELD: So, we've got a number of hospitals and physician groups ramping up their efforts now to implement comprehensive electronic health records in hopes of obtaining incentive payments from Medicare or Medicaid under the HITECH Act. Now, I understand that your company is advising these organizations to pay attention to five critical security issues. So how about we talk about those in the context of this conversation?
LAPIDUS: That sounds great.
FIELD: Brian, the first I want to ask you about is business associates. What question should hospitals and physician groups be asking of their business associates now? LAPIDUS: I think they are all along the lines of where is your PHI stored? Is it ever stored at an offshore facility? Who has access to it? Are your employees subject to security training and background checks? What types of data will you need from us to perform services? How does the business associate monitor the data handling policies and procedures of the subcontractors with whom they share PHI? The biggest question for the CE business associates or subcontractors is, do we really need to use this PHI at all? One of the things that I am always talking to our clients about is the importance of data minimization. People should only keep what they need. Over time, data has become the equivalent of "it's power, it's knowledge," but you don't always need everything you keep and so we encourage organizations to hold less of it.
I think another point, if I could, has to do with the covered entities in that even if your business associate breaches your data, the ultimate responsibility for notification falls to you. So you want to make sure that the BA can specify procedures for notifying you in a timely manner once a breach has occurred. Get those assurances written in the contract, so there will be no question as to what their responsibilities are. Unfortunately, a lot of these business associates or third parties don't even know that it is their responsibility to notify you that they've lost your data.
FIELD: Let's talk about encryption, Brian. You've recommended that portable devices be encrypted. I would like to ask you: 1), why is that important, and 2) what other applications of encryption should be considered?
LAPIDUS: I would say over the next year we are going to be hearing a lot more about encryption within the healthcare space, because of the provisions surrounding unsecured PHI. That is: PHI that is not been rendered unusable or unreadable. Basically, if you a breach of unsecured PHI, it's almost guaranteed that you will have to notify. Full DES Encryption is a powerful means to protect data. Encryption should be considered for all portable devices, but that is encryption for data at rest, in motion and in use. But one thing I would like to caution all the listeners is that people go down the rabbit hole of encryption thinking that means there is not going to be a data loss of ever or data breach. The reality is: Not every breach is tied to technology. We worked lots of cases and handled many incidents where the data loss had nothing to do with technology. So I caution hospitals and other organizations to not think 'Because we've figured out this encryption aspect from a technology angle, we're safe.'
FIELD: Now, a moment ago we talked about awareness for business associates. One of your recommendations is that hospitals and clinics step up their efforts to provide security awareness training to staff. In what ways do you see that these organizations need to improve their training now?
LAPIDUS: From my mind, employee training is the absolute cornerstone of every good data security program. The reason organizations need to improve training is because with high tech there are new requirements that employees need to be made aware of -specifically, all employees should know what does and does not constitute a data breach. Now, with such emphasis placed on training, it is imperative that the healthcare organization make training part of the culture rather than just a required act of signing an agreement. In addition, as employees of healthcare organizations have widely varying responsibilities and points of touch with patient data, it is important to construct a training program that is relevant to job function and level of sensitive data handling. Finally, rather than creating an excessive training program, the goal should be to make necessary pre and post breech training a part of the overall program.
For healthcare organizations, the primary focus should be on privacy and security breach prevention and detection. Healthcare employees must be trained to detect and report a breach as the notification 60-day stopwatch starts, when they know or reasonably should have known that the breach occurred. Furthermore, to encourage detection and escalation of an incident, healthcare organizations should review existing employee communication channels such as a whistle blower hotline that can facilitate and expedite breach reporting.
You really want your entire organization to be comprised of an entire employee set of risk managers, and the right kind of training and the right kind of culture can facilitate the creation of that army of risk managers if you will.
FIELD: Brian, you talked about that 60-day period, and as we know, the HITECH Act, the breach notification rule, requires healthcare organizations to report major breeches within 60 days. Now you're recommending that hospitals and physician groups develop a breach reporting plant and then test it. Give us a sense of what that plan should include, and then how should be tested once it's created?
LAPIDUS: I'm talking here about an incident response plan, and this has become increasingly important even as the HITECH Act specifies that the notification must occur without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. An incident response plan will designate stakeholders to be involved in the response team. It will include a blueprint for training staff to recognize a data loss event. It will identify a chain of notification, so that a proper investigation can occur, and it will include steps that must be taken to ensure complete and compliant response. The IRP will come in handy because the HITECH Act actually requires HIPAA-covered entities to carry out a careful risk assessment, including an evaluation for potential harm for every data loss event to avoid over or under notifying the public.
So from my perspective, a thorough investigation is extremely important, including data forensics to determine the scope and identify potential causes. It is very important to demonstrate to HHS, the FTC, or to the state attorney's general that you have made a concerted effort. You know, we've never seen someone penalized for doing the right thing, but I think we're starting to see that there is a willingness to penalize organizations that show negligence in this area.
I think my last point on this is: Having an incident response plan is critical, but you've got to test it periodically, and that might mean different things for different organizations. It may include a tabletop exercise where stakeholders are gathered for a dry run of this, but you know you don't want this incident response plan to just be a binder that you never pull out and test. I think, actually, going through that exercise is critical, and when the event does happen it makes you that much more agile when you are responding.
FIELD: Just a follow-up question Brian. As you encounter healthcare organizations, how commonly do you see these incident response plans now?
LAPIDUS: We are definitely starting to see more and more of them. We are seeing it as a best practice of these organizations that want to make sure that they are ready when the event happens. Unfortunately, a lot of times it takes having the event to make sure that they've got that plan in the future, but we are definitely seeing an up surge in the trend of having this plan.
FIELD: Brian, in preparing for breach notification, you've recommended that organizations sort through all the complexities of federal state requirements and determine whether they need some outside assistance to complete certain tasks in a timely way. What do you find to be the most important potential time crunch issues?
LAPIDUS: The first step, as I talked about a couple of minutes ago, is to conduct a thorough investigation to ensure that there was an actual breach. To properly scope the breach and to determine: Who requires notification? The logistics of setting up notification mailing, setting up a call center, training staff to handle breach calls, notifying the required entities, and handling what could be potentially damaging media scrutiny. These things take a lot of very specialized resources and skill sets.
So, first of all, organizations have to look at their own resources and recognize whether or not they have the means or the capability to handle such a massive operation themselves. So, as we mentioned, notification is about far more than simply mailing a letter. This is where an organization like Kroll can be very helpful, because our area of expertise is taking this burden away from the organization in a way that allows them to maintain day to day operations and not taking hits over their productivity. We also have the knowledge base to make a recommendation based upon the organization's potential and particular level of risk. Now, one of the things that we always talk to our clients about is recommending that they seek adequate legal counsel, because even an organization like ours can't provide the kind of legal counsel that healthcare organization may require in the event of a breach, or particularly if they are investigated by Attorney General or undergo some sort of regulatory scrutiny. But one of the things that we do is work in tandem with that legal partner to make sure that we are providing a holistic solution for the organization.
FIELD: Brian, we've covered a lot here. We've talked about business associates, encryptions; we've talked about breech notification. We've got a number or organizations that are looking at this issue freshly now. If you could boil it down to a piece of advice, where should a healthcare organization start just to assess where they are and what their next step ought to be?
LAPIDUS: My main recommendation is really having these organizations start with looking at a third-party due diligence. Make sure that those business associates understand their requirements, because that nuance and the stopwatch of notification really start with them. We've seen far too many organizations have issues because their business associate wasn't aware of their requirement. So, I think that piece of due diligence for an organization to be mindful of their third-party vendors and third-party business associates is a critical first step in helping to protect themselves from potential data loss later.