Data breach risks and privacy compliance: The expanding role of the IT Security professional
By Rick Kam - You have a meeting with your IT Executive. You learn that you are now designated as the company's "privacy officer," a newly created role with few parameters and little direct budget or authority. Yet this position also comes with high expectations and responsibilities, and a laundry list of worries. You are now responsible for maintaining the privacy of your customers' and your patients' personally identifiable information (PII) and protected health information (PHI). You take a deep breath. If it makes you feel any better, you are not alone.
We've noticed that the Chief Information Security Officer (CISO) or IT security function is increasingly taking responsibility to deal with risks, and associated management of data breach incidents. This creates an interdependent relationship for the CISO with the Chief Privacy Officer (CPO) and the privacy function.
In many healthcare organizations, the IT security professional is thrust into the privacy role as companies begin to sort out their obligations to the growing federal and state level privacy legislation. Navigating through this maze can be both challenging and rewarding.
Your success in your new role depends on how well you can identify and quantify your company's gaps in compliance to privacy regulations, actual risk of privacy breach incidents, and putting a plan in place and the necessary resources to mitigate these risks.
Technology is not a "silver bullet" for privacy compliance
Hardly a day goes by without news of some type of data breach being reported. Data breach incidents are growing in frequency and severity, while regulatory requirements for data privacy protection and incident notification are becoming more stringent. Although organizations entrusted with PII and PHI are making investments in technologies such as encryption and data loss prevention (DLP), none of these are "silver bullets" that will eliminate data breach risks. Despite the focus on failure or lack of adequate security controls within organizations, a far more significant and common portion of these events are simply the result of staff's lack of awareness and/or compliance to internal security policies and lax practices to safeguard sensitive information.
Risk factors and overlooked risks
I will explore the various risk factors that correlate to data breach incidents and associated organizational implications. I will also help identify areas on which information security and privacy professionals should focus their efforts in order to address the most prevalent and often overlooked risks.
Years of experience have taught us that the most common causes of data breach incidents resulting from unintentional failure of privacy and security practices/policies include:
1. Failure to terminate or modify both physical and/or network access levels when staff is transferred or terminated.
2. Misdirected email messages or faxes to unauthorized recipient(s).
3. Billing department mistakes when billing statements are sent to the wrong customers/ patients.
4. Digital copy machines storing document images containing highly sensitive customer or patient data that is not encrypted or cleared.
5. Improper disposal of paper records.
6. Theft or loss of laptops, tapes, or portable devices.
7. Physical security staff communicating sensitive information over an unsecured channel.
While IT security technologies such as intrusion detection, anti-virus, encryption and data loss prevention are all helpful and often necessary tools, these tools cannot prevent the vast majority of breach incidents that are daily occurrences across organizations including healthcare, financial, and government agencies, where most of breach incidents are occurring.
The reason for this mismatch is that many of the technical controls assume malicious intent, yet most of the incidents are unintentional breaches of company security and privacy policies and practices.
In the healthcare industry, for example, all of the above events may constitute data breach incidents with some of these events having severe internal and external implications for the organization. The American Recovery and Reinvestment Act of 2009 (ARRA), through its included Healthcare Information Technology for Economical and Clinical Health (HITECH) Act, amended HIPAA with requirements for healthcare organization to have documented policies and procedures, assigned responsibilities for privacy and security, ongoing training for staff, a risk assessment for each incident, and notification of victims as well as the department of Health and Human Services (HHS) based on the result of the risk assessment. These requirements became effective last year, on February 18, 2010.
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information that affects 500 or more individuals.
The HHS started listing the breaches on its website in February 2010, then updated the list in April 2010. The data shows that more than 1.2 million individuals were affected - based on information on 64 incidents. The way that HHS categorizes some incidents can at times make it difficult to tell the difference between failures of technology as opposed to process. About 69% of the incidents are classified as "Theft/Loss" and we can see with reasonable certainty that 30% of the incidents were process related.
Risk assessments are effective for organizations
Our experience shows that a significant portion of data breach incidents are managed by our clients' IT organization where privacy and security are combined. For us, this often involves working with the client's IT management, staff, and counsel to remediate the situation. As far as our healthcare customers are concerned, a big new challenge is the requirement to comply with the HITEC Act's risk assessment. We conducted a survey and found that all of the respondents indicated that they are spending at least 50% more time investigating and performing risk assessments on data breach incidents since the HITECH Act became effective. This is putting significant strain on the IT organization to meet compliance requirements.
We recommend to organizations to consider the following questions in order to get a better sense of their privacy program risk and maturity:
* Corporate Governance – Does the organization have clear accountability and visibility from the boardroom to frontline privacy operations?
* Privacy and Security Office Operations – Does the privacy office develop, implement, and monitor organizational processes that address all facets of confidentiality and customer/patient, and employee/staff privacy?
* Resource Allocation – Has the privacy and security office identified and prioritized the resources and budget necessary to maintain the privacy and security of the organization's personal and sensitive information?
* Management Reporting – Does the privacy and security office maintain a system of management reporting that provides the organization with timely and relevant information in all areas of privacy risks and effectiveness?
Practical implications for privacy best practices
Security and privacy professionals face a daunting challenge with the evolving threat vectors and the changing regulatory landscape. For those with deep knowledge and awareness of these forces and the ability to manage them, there are significant career rewards and opportunities.
As you review your overall data breach risk and compliance environment, here are some suggested best practices to consider. We have found that many organizations are lacking some or most of these practices, which makes them highly vulnerable. These practices can be performed internally and/or using external resources:
* Keep track of a myriad of federal and state level laws and regulations concerning customer/patient and staff privacy.
* Conduct annual privacy and security risk assessment and quantify and communicate the risks from an overall business perspective.
* Implement staff training and awareness programs.
* Develop an incident response plan and designate a cross-functional response team.
* Implement a breach incident risk assessment process that is consistent, efficient, and provides sufficient guidance to meet regulatory requirements and approval from counsel.
* Measure, track, and communicate key privacy and security program performance metrics and risks.
The good news for IT professionals responsible for security and privacy initiatives is that organizations are becoming more educated and sensitized to the business risks posed by data breach incidents.
There are a growing number of external resources available that can help organizations identify specific privacy-related threat vectors and best practices to reduce the risks. Leveraging internal and external data and resources to guide your IT investment for maximum impact is possible today. Simply enhancing your speed of patching may only get you a 2% reduction in risk.
Rick Kam is President and Founder of ID Experts (www.idexpertscorp.com). The company has managed hundreds of data breach incidents for healthcare organizations, corporations, financial institutions, universities and government agencies. He is an expert in privacy and information security. His experience is leading organizations in policy and solutions to address protecting PHI/PII and remediating privacy incidents and identity theft.