From the launch of the original Health Insurance Portability and Accountability Act (HIPAA) in 1996 through the HITECH Act of 2009 to last year’s HIPAA Omnibus Final Rule deadline, privacy and security compliance have become increasingly challenging. Interpretation and enforcement of federal policies and regulations have evolved, and a complex web of state regulations has sprung up to add to the difficulties faced by medical and other organizations. Over recent years, privacy and security staffs have been evolving their organization from a reactive stance, focusing on breach response, to a proactive model that embeds privacy in every stage of operations and every function of the organization. At ID Experts, we have made this journey together with the healthcare industry, working and learning with our clients, and looking for better, more effective ways to tackle the issues of privacy and security. And on September 19th, the International Association of Privacy Professionals (IAPP), the largest organization of privacy professionals in the world, awarded us the HP-IAPP Privacy Innovation Award for technology, for our RADAR incident response management software. While we normally talk about our shared challenges, yours and ours, today we want to celebrate because this is a shared accomplishment that shows how far we have come together in achieving not only compliance but stronger privacy and security for businesses and the consumer.
Keeping up with changing regulations has historically been one of the biggest compliance challenges. In the early days of the privacy industry, organizations had to sort through all the legal and regulatory changes for every potential breach incident, a process made doubly difficult because few organizations could afford in-house experts to keep up with the evolving requirements. For years, ID Experts provided subject matter expertise to our clients to help them deal with the confusing patchwork of state and federal regulations, but we knew they needed a way to streamline that discovery and have faster, more scalable access to the information. RADAR is the result of that idea. ID Experts CEO Bob Gregg says, “What I am most proud of is that we took our subject matter experts with years of experience and put all that learning into a software as a service (SaaS) product. And it’s updated constantly so that all the rules from 50 different states, all the federal regulations, all the compliance regulations are all available, all up to date, all the time. Today, compliance professionals can have all that knowledge there at their fingertips.”
According to Andrew Rose, principal analyst at Forrester Research, it is increasingly important for data security and privacy professionals to be able to manage collaboratively across business functions and operations. He predicts that “Orchestration will be key in future, with CISOs needing to be able to manage service providers, co-ordinate the support team and make decisions.” Incident response is a company-wide endeavor that typically involves customer-facing staff and managers as well as information security and privacy professionals working together to assess whether the incident amounts to a data breach. If the incident is a data breach, then what was an IT issue is now an enterprise concern—legal/compliance, risk management, marketing, operations, etc. A successful response addresses not only the needs of the organization, but of the affected individuals whose data was breached. The requirements around notification timing, content, and delivery to affected individuals and regulators are very specific. Crisis communications include websites, call centers, and media relations. Identity monitoring and protection should be tailored to meet individual needs—for instance, medical identity monitoring for patients, identity recovery services for actual victims, or reimbursement insurance for those who may have damages in future.
Many organizations have worked out incident response plans that involve all of these business functions, but managing the workflow across the organization can still be time-consuming and problematic. The last piece of the puzzle is a workflow management tool for incident analysis and response. RADAR is designed to simplify the entire process of incident management. Andrew Migliore, director of software development at ID Experts, tells of one customer’s incident response process before using RADAR. It was a 60-step process, requiring manual re-keying and massaging of data from multiple sources. Because of so many manual steps, this process was error prone and mistakes were often made. RADAR helped this organization consistently capture, assess, and manage incidents involving privacy data.
Travis Cannon, RADAR product manager, explains how RADAR provides that missing piece: “A breach starts with an incident. Once an incident occurs, it’s entered into RADAR, which then allows you to have a central place to assign, manage, and investigate the incident. RADAR helps you through the entire response workflow of an incident from start to finish. Once the information is entered in, it will create a risk assessment along with a ‘heat map’ to show the severity of the incident. At that time, it will go over your obligations to notify agencies, consumers, and the media. In short, RADAR really helps manage the whole chain of events over the entire lifecycle of an incident.”
Proof of Compliance
Mahmood Sher-Jan, executive vice president and general manager, RADAR product unit at ID Experts, points out that in a case of data breach, compliance is not enough: “When regulators come calling, being compliant doesn’t count unless you can prove it.” The better an organization can manage its incident response process, the better it can manage its data breach risks and prove regulatory compliance. According to Gartner, organizations must “Develop an enterprise-wide regulatory compliance capability that is aligned with strategic, as well as operational imperatives. Include initiatives to capture incentives as well as comply with regulatory compliance details.” An “operational” approach to incident response management is one that is consistent, defensible, and repeatable, all of which will help not only ensure but prove compliance.
With its operational approach to incident management, RADAR is designed to prove compliance through:
- Consistent and objective analysis to “standardize” all the variables of an incident
- A central repository for all incident information, decisions, and documentation, so that proof is ready in case of an audit or legal situation
- A detailed timetable to ensure timely notifications
Migliore is passionate about helping companies prove compliance. “We are solving a real pain point. When customers tell me they used to go through a 60-step process to investigate and document privacy incidents, I know that we’re making their lives better.”
A Better Way
The data security industry has seen a lot of change in recent years. The importance of data security has gained greater visibility because of new laws at state and federal levels, as well as very large scale malicious hacking that has brought the importance of data security into the minds of the public. As more and more of our personal lives are exposed in the systems that we all use, the importance of data security becomes ever greater.
Mahmood Sher-Jan gets to see firsthand that RADAR is making a difference for client businesses and their customers. One such client is CNO Financial, a holding company whose primary insurance subsidiaries include Bankers Life, Colonial Penn Life, and Washington National Insurance Companies. Before using RADAR, CNO lacked an automated process for its 5,000 employees to report security incidents and it had no consistent incident management system for complying with state and federal breach laws. CNO couldn’t prove its compliance, consistently manage incidents, or generate reports, which created serious organizational inefficiencies and unacceptable risks. But RADAR, with its Breach Guidance Engine™, customizable web-based forms for submitting incident information and documents, process and its up-to-date compliance rules and reporting, helped CNO transition from a manual and inefficient to an automated, consistent, and scalable incident escalation, risk assessment and management process that help them achieve and prove compliance and significantly reduce risks to themselves and their customers.
For Sher-Jan, this is the realization of a vision. “My motivation and inspiration for RADAR was really seeing firsthand our customers’ struggle with managing incidents. There was no really good technology or tool at their disposal to help them manage that very challenging and risky process. We knew that there had to be a better way. We knew that when we brought innovative software modeling capabilities to bear that we could solve this problem very effectively, and that’s exactly what we have done with RADAR. And as the data security industry continues to evolve, RADAR will evolve with it.”
 1 Gartner, “Business Drivers of Technology Decisions for Healthcare Providers,” Zafar Chadry, M.D., Steven Lefebure, et al., December 26, 2013.