HUMAN ERROR, malicious intent and disregard for the law by those entrusted to protect the privacy of personal information has resulted in breaches of information security affecting more than 90 million in the past 18 months. These breaches can severely compromise an organization’s bottom line and reputation.
Financial institutions have had their share of breaches. They’ve been forced to make significant changes to policies, procedures and technical infrastructure to support their transition to a digitally driven environment and adhere to several rules and guidelines, such as the Gramm-Leach-Bliley Act safeguards rule, Interagency Guidelines Establishing Standards for Safeguarding Customer Information and the Sarbanes-Oxley Act of 2002.
Unlike healthcare organizations, financial institutions have been serious about fixing security problems. One important driver has been aggressive enforcement by the Federal Trade Commission. For example, the FTC recently charged CardSystems Solutions with violating federal regulations by compromising the debit and credit card information of 40 million cardholders, saying it, “faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach.” ChoicePoint Inc., a credit bureau, was recently fined $15 million for permitting thieves to access credit information of 145,000 people, resulting in 900 cases of identity theft.
Despite these well-publicized failures, financial institutions have vastly improved their ability to protect customer information. Healthcare providers are on the same all-digital path and can learn from the finance industry’s successes and failures
Significant lessons for healthcare providers include the following:
p Develop and enforce effective policies and procedures. Financial institutions have greatly improved compliance and enabled risk management by comparing actions against written standards. Healthcare organizations must develop policies and procedures that provide a forum to identify and an opportunity to resolve budget constraints, organizational dysfunction and mitigate existing risks.
p Know who accesses your information and why. An organization should accurately identify who is using its information and whether they are entitled to do so. For example, ChoicePoint actually gave the perpetrators authorization to access data and did not perform the due diligence to reliably qualify their customers. Healthcare providers must ensure that each workforce member can be trusted to access health information and properly grant the appropriate level of access. Organizations routinely should use system and application audit trails and routinely audit their systems for unexpected behaviors.
p Know where your information is, who has possession of it and how it is used. Organizations should understand and document workflows, information systems functions, places where information is stored, and how it moves routinely and under unusual situations, both in and out of the organization. Unusual situations, which deviate from the norm, merit special attention and conscious deliberation.
p Protect the integrity of information and be careful about placing trust. To ensure the privacy and integrity of information as required by GLBA and SOX, financial institutions have implemented increased security measures to protect electronic data against penetration from both external and internal sources through access points such as firewalls, mail servers and Web servers. Non-existent or ineffective measures lead to work disruptions and significant losses in productivity.
p Invest in business continuity plans. Business continuity planning and the supporting infrastructure necessary to sustain operations during a major disruption are expensive and require substantial organizational commitment, leadership and planning skills. An organization should perform business impact analyses to identify threats, reveal potential impacts and document its dependence on information systems by identifying where and how data is created, stored, used, transported and processed.
So far, HIPAA fines are relatively small and enforcement is lax; more than 75 percent of the 18,000 HIPAA privacy complaints made to the Office of Civil Rights have been settled without fines. As a result, many healthcare executives have restricted funding for security efforts that are fundamentally necessary for the effective protection of privacy. This approach comes with high risk.
While small breaches are overlooked, others have enormous impact on the people they affect and the organization. Big leaks will make the news and negatively affect an organization’s finances, reputation and customers. n
Carl Abramson and Peter Avellino are directors of Besler Consulting, a financial and operation consulting firm based in Princeton, N.J.