ID Experts Home
0

Article

Forecast 2015: Cloudy with a Chance of Data Breaches

Given this level of frequency of incidents, I think that it isn’t a stretch to conclude that the management of incidents – capturing the facts, assessing whether they are breaches, carrying out regulatory notifications – is something that most larger organizations with some health data are doing on a daily and weekly basis. But it hasn’t become a “mission critical” function in most of these organizations. Something that is carried out like other day-to-day operational functions. Like billing. Or payroll. Yet, the privacy and security of health data is one of the most highly regulated areas by federal and state authorities. And regulators have become draconian in assessing fines, penalties, and corrective action plans to organizations that can stand up to their scrutiny, especially when there is a data breach. So for organizations that touch health data anywhere in its chain of custody, not just hospitals and insurance companies, but cloud vendors and those with health apps,  and others, 2015 will be the year where incident response becomes a mainstream management imperative. Privacy incident response management in these organizations can’t continue to be an ad-hoc process. Done part time by an overworked privacy or information security official. For the same reason that organizations use Quickbooks for accounting, and Salesforce for sales management, they are going to need to start using software purpose built for managing the growing frequency of privacy and security incidents. For efficiency, but also for compliance. If your organization handles any kind of health data, as a privacy, information security, compliance, risk or legal professional, 2015 will be the year to help your organization get its incident and breach management on solid, scalable footing.

0

Article

Unifying Principles for Security and Privacy Incident…

IAPP recently hosted a webinar about how to engender teamwork in organizations for managing the security and privacy incident and data breach response process. Such collaboration is especially crucial when incidents involve sensitive personal data of customers or even employees, where there is an expectation of privacy.   Speakers included Lisa Copp, the chief privacy officer and assistant general counsel for CNO Financial Group, a major insurance company, and Meredith Phillips, the chief information privacy and security officer for Henry Ford Health System, a nationally prominent health organization. If you have any involvement with the management of privacy incidents or related risks in your organization, you must watch this webinar.   In addition to providing key insights as to how cross-functional teams, often in different organizational silos, can be made to work productively around incident response, they also describe their governance structure and how they along with the boards and other executive management address the enterprise risk surrounding privacy incidents.   Lisa further delved into the use of tools to automate incident management within CNO. I found it interesting that she talked about the importance of having a “single source of truth” within their systems and processes. Which makes so much sense when you consider the need for an extremely solid set of documentation that can stand up the scrutiny of regulators or others who may second-guess your decisions and logic.  She also noted the challenges inherent in the “non-linear workflow” that tends to be the norm in incident response and how to best provide coordination within this environment.   Meredith augmented Lisa’s insights based on a unique perspective given the fact that Henry Ford Health System recently went through the process of unifying their information security and privacy mission into a single team. They evolved from a decentralized model, one that is somewhat more common in many industries, to a unified one under Meredith’s leadership. What I found interesting was how the “mindset” at HFHS has also evolved during this period from one where privacy and security compliance was a “necessary evil” to one where there is an overall “culture of confidentiality” that pervades the system, diminishing the negative mindset and aligning it with their organizational mission.   In both cases, these organizations use a systems platform that automates the capture, assessment and management of privacy incidents. They address associated benefits of this approach as well as how it was integrated into their organizations and processes. I think anyone that is involved with privacy incidents – privacy, information security and compliance officers, general counsel and risk managers – will find this webinar most informative and instructive towards managing the related enterprise risks.

Have questions? We'd like to help

Let's discuss your specific needs & how we can support your strategies

Get the latest intelligence in your inbox

Learn about the latest solutions, tools, case studies, & regulations from industry experts