Feature
My Data ...
(Continued from page 22)
price of losing your reputation and subsequent lost clients due to lack of trust. Add to that
the ongoing fines (as of 9/2016, almost $46M) doled out by the OCR (i.e., University of
Washington Medicine Pays $750,000 to Settle HHS Charges; $2,140,500 HIPAA fine for
St. Joseph Health; University of Mississippi Medical Center hit with a $2.75M fine after
an investigation due to a reported breach; Advocate Health Care Agrees to $5.55M OCR
HIPAA Settlement; $2.2M Settlement with New York Presbyterian Hospital; Feinstein
Institute for Medical Research agreed to $3.9M to settle potential violations...) and simply
put, the cost of securing your data and your company has now become drastically less
expensive than responding to a security breach.
2017: The year to get out of “Ostrich Mode”
2017 is the year to get all the “security ostriches” and data loss non-believers to take their
heads out of the reactive sand and get proactive. It is clear that we should worry about the
following:
•
•
•
•
•
•
•
The focus on small to medium-sized businesses data and fraud attacks will become more
coordinated and disruptive and needs to be proactively safeguarded.
Major fines for healthcare organizations from negative results of the HIPAA Breach
Audits will continue. The OCR will continue its efforts and audits of covered entities
with an enhanced and ongoing set of onsite audits. 2017 is also the start of the focus on
Business Associates audits. Be prepared to respond.
There was a time when having a Mac may have helped protect you -- not enough people
used them in a business setting and there was no profit in attacking them -- but Apple
has forged a new level of acceptance for its equipment and may be ripe for the hacking.
Malware is being designed to compromise Mac and Google™ Mac and you will find
many new types of attacks. Get your protections in line.
Social Networking sites remain a significant threat to data security. Are you blocking
enough?
IoT Devices are the new gateway for hackers and lateral movement of malicious code.
Do you know what devices you have in your organization?
There is no end in sight for lost or stolen unencrypted laptops, USB drives, cellphones
and other portable devices. How good is your Bring Your Own Device (BYOD) and
portable device use policy?
Adding training and education to the user community and key individuals tasked with
protecting assets will require additional budget and continuing professional education.
What to Do Now
While any information security process improvement, including enhanced and auditable
security controls, proactive protection and automated event monitoring are advisable and
required by laws, there are 10 key areas that you may want to focus on first, including:
1. Risk Assessments. Accurate, thorough and repeatable assessments are required to
meet HIPAA and many other data security laws. Don’t shortchange or underestimate
your risks by limiting your assessment scope. Currently, an effective risk assessment
and risk management program is one of the key Optical Character Recognition (OCR)
Deskside Audits requirements. It is also one of the top five reasons that auditees fail
an investigation or have had a data breach. Focus on performing a risk assessment
over a period of time, not just a point in time. It will give you an evidence-based
picture of how well your controls are operating for the periods assessed.
(See My Data on page 24)
23
Adviser a publication of LeadingAge New York | Fall 2016