The Next Record Breaking Breach
By Jeremy Henley - Article on June 27, 2013
There has not been a record breaking breach for a while now. Unless you consider the little issue that the NSA has in terms of dealing with their leak(s). I am referring to the rest of the corporate world that use PII and PHI daily for business purposes, they have not had a record setting lost for quite a while. Does this mean all of the privacy and security risks and issues have been solved? I don’t think so.
With the final HIPAA rule in place now and the deadline for compliance of September 23, 2013 many organization are scrambling to be compliant. However I find it hard to believe that so many healthcare entities and ALL of their business associates will become and stay compliant. Remember compliance is a moving target. I think the lack of compliance for some may be the source of the news grabbing records related to data breaches.
Looking at the healthcare space specifically we know that enforcement is increasing and we have heard from the regulators from several conferences over the last few months that fines will be increasing. They have said they will continue to look at events and the number of violations per event as a point for how the value of the fine is calculated. Some of the sources I have been speaking with recently mention fines north of $10M and maybe even $15M. I believe that would be a new record for fines in the data healthcare data breach space and is sure to get folks attention.
Being and staying compliant is difficult, even the federal regulators will acknowledge this is a big chore. Having best practices around privacy and security, whether they are good or not, means nothing if they are not documented. We all know that avoiding a data breach is next to impossible and having a breach can expose your current level of compliance which does not give you time to prepare.
So let’s review some of the basic things that need to happen to have the best chance of avoiding or minimizing the impact from these fines. Regardless of how your organization stacks up you need to create a baseline by completing an assessment of your current level of compliance. This is your starting point which will be a good thing regardless the findings, not something that only documents how far out of compliance your organization actually is. Documenting that you have identified the issues and are systematically working to improve them is what a compliance program is all about. If you know in advance that the assessment report may expose past history that you would not like outsiders knowing about, then have the legal counsel involved in the process.
When a regulator comes knocking on your door post breach, having this assessment complete and the documentation in your pocket will likely change the outcome of what will happen next regardless of your actual level of compliance. You will want to make sure that you can justify why you are not compliant but a well-run assessment will document these issues. If it would be hard for them to justify a fine for a violation they will more than likely take the limited staff they have and knock on another door. If your organization is the one that cannot prove what you are doing from a privacy and security perspective then watch out because the target for the new record might be on your back.
MORE INFO:Risk Analysis and Customized Compliance