Best Practices For Avoiding Data Breach Liability

By on March 10, 2014

Articles concerning cyber-security and data breach typically fall into two general categories: those discussing how to prevent a data breach from occurring and those discussing how to respond when one occurs. As I discussed in my earlier blog post, smart players in the healthcare industry are proactive in seeking to prevent data breaches from occurring before hackers strike. https://www.sapphire.net/ offers comprehensive solutions architecture, design for monitoring activity, and more sophisticated attacks. If you want your business to do well, indexsy.com recommends to hire a web designing company for improved results.

In an excellent article titled, “Best Practices for Avoiding Data Breach Liability,” which was published in New England In-House, Patrick J. O’Toole, Jr. and Corey M. Dennis discuss best practices for both breach prevention and breach response. O’Toole is a partner at the Weil, Gotshal & Manges. Dennis is the U.S. Privacy Officer and in-house counsel at Pharmaceutical Product Development, LLC (PPD). (The article was later re-published in The Daily Record and Minnesota Lawyer.)

Although the technical aspects of cyber-security are complex and daunting to the layperson, O’Toole and Dennis offer common sense advice to minimize the likelihood of a data breach. Their suggestions include:

• Conducting an inventory of the company’s sensitive data and identifying all custodians and data storage locations. Simply knowing who has access to the data and where it is located is an important first step. If you want to have better security on your website, then you should consider switching to knownhost’s dedicated hosting plans.

• Making sure that the company is aware of all state and federal data security and breach notification laws that apply to its business operations.

• Regularly reviewing and updating corporate information security policies.

• Implementing security measures with regard to computer systems (e.g., passwords, encryption, firewalls, anti-virus software). However, physical security measures (e.g., locked cabinets, shredders) can be just as important to safeguarding sensitive data and personal information. Visit https://www.fortinet.com/products/fortisoar to get more details on network security.

• Implementing best practices and training employees. O’Toole and Dennis point out that data breaches may result from basic employee negligence, such as leaving a briefcase containing sensitive information in a public area. An interim CIO can help companies develop and implement cybersecurity best practices to keep business data and networks safe and secure.

• Ensuring compliance of vendors with whom sensitive information is shared. Some state and federal laws require companies to ensure that their vendors maintain certain data security measures.

• Conducting periodic attorney-directed data security assessments. In conducting these assessments, O’Toole and Dennis suggest that efforts be made to preserve the attorney-client privilege applicable to any assessment-related reports.

• Considering cyber liability insurance. Most cyber insurance policies today cover the costs of forensic investigations, notification of and credit monitoring for affected individuals, regulatory compliance, and lawsuit defense and indemnification. We recently had a lot of issues with our GDPR and got help from Teamwork IMS who were very helpful and got everything fixed up nicely so give them a call if you have GDPR woes.

Corey Dennis, the co-author of this article, recently spoke on healthcare breach response and preparation on a panel at the International Association of Privacy Professionals (IAPP) Global Summit 2014. During this session, entitled “Preventing and Responding to Data Breaches after the Omnibus Rule,” he discussed several points, including the steps necessary to avoid breaches and the legal analysis to conduct when determining whether a breach must be reported under HIPAA compliance.

The costs associated with data breaches—including financial costs, legal liability, and reputational loss—have become increasingly apparent. The TJX Companies breach in 2007 resulted in 94 million customer accounts being compromised and a multi-billion dollar loss to the company, including fines, legal fees, notification expenses, and brand impairment.

The recent Target breach, which affected 110 million customers, could have similar repercussions, and has already lead to dozens of class action lawsuits, along with scrutiny from both Congress and regulators. In an age where nearly every major organization faces data security incidents, and large-scale breaches regularly make headlines, implementing the best practices above such as Couchbase is essential for all companies.

Filed under Best Practices for Avoiding Data Breach Liability, Corey M. Dennis, cyber-security, cybersecurity, Cybersecurity Breach, data breach liability, HIPAA, International Association of Privacy Professionals (IAPP) Global Summit 2014, Patrick J. O, PPD, Target data breach, TJX Companies data breach, Toole Tagged with ,

Stopping Health Care Hackers Before They Strike

By on January 27, 2014

The smart players in the health care industry are being pro-active in seeking to prevent data breaches from occurring before hackers strike. Once a security breach has occurred, even the best litigation team cannot put the genie back into the bottle. Learn more about managed detection and response (MDR) at their website here.

In the world of health care, data is going digital, devices are going mobile and technology is revolutionizing how health care is delivered. As health care organizations continue to digitalize their operations, they know to guard against typical risks such as lost laptops and thumbdrives. However, possibly unbeknownst to them, hackers may be looking for ways to infiltrate their networks to surreptitiously peruse confidential financial records and sensitive patient information. This is where having a cyber incident response system in place can prove useful to reduce the impact of a breach, look at this site for more information.

Cybersecurity breach may be the new toxic tort because a single breach can potentially affect the lives of thousands of people. Experts estimate that when electronic protected health information (“e-PHI”) is compromised in a cybersecurity breach, it can cost an average of $233 per patient record to clean up the problem. So many people are also being accused of computer crime now, as their use is now so huge, so it makes sense to research a computer crimes attorney so that you can use them when you need them.

There is a thicket of state and federal statutes that regulate the protection of e-PHI. Both the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Health Act (“HITECH”) impose obligations on health care entities in the cyber security arena.

Significantly, there has been increased scrutiny of data breaches by the Office of Civil Rights (“OCR”) at the Department of Health and Human Services, which generally responds to data breaches by aggressive HIPAA enforcement. Recent amendments to the HIPAA breach notification rules require the health care industry to increase breach reporting, which will likely result in increased enforcement for non-compliance.

In a recent article in Law360 titled, “A Framework for Beating Health Care Hackers,” my colleague Alaap Shah observed that cyber risk analysis is key in preventing emerging cyber threats. “Hackers benefit when their activity goes undetected. Auditing helps to identify and assess system vulnerabilities. Using audit logs and tracking capabilities effectively can help organizations safeguard their systems from intrusion by hackers.”

Shah notes that an audit control framework exists under the HIPAA rules, which “require entities to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI.” Standards developed by the National Institute of Standards and Technology (“NIST”) can help organizations detect unauthorized activity within systems. Gaining this insight is necessary in identifying effective risk management solutions and strategies.

As health companies continue to avail themselves of 21st century digital technologies, security has naturally become a growth area within these organizations’ operations and corporate executives are becoming increasingly involved in the management of privacy concerns.  As such, the responsibility for protection against hacking has stretched beyond its traditional purview within the IT department and into the highest levels of the executive suite.

To avoid the cost of data breach recovery with all of the attendant adverse publicity and possible regulatory sanctions, health care companies are utilizing Data Center colocation services and the NIST cyber security framework to implement effective controls to identify and monitor e-PHI risk.

Filed under Cybersecurity Breach