Wednesday, 29 April 2015

Cybersecurity legislation only a partial solution

Data breaches have grabbed headlines in recent months, and arguably none was more shocking than the one that occurred at Anthem, the nation’s second largest health insurer. That breach compromised the Social Security numbers, dates of birth and e-mail addresses of about 80 million current and former Anthem members and employees. That’s the equivalent of the combined population of California, New York, Illinois and Maryland.

In the wake of the Anthem and Sony breaches, the Senate Intelligence Committee recently passed the broadly bipartisan Cybersecurity Information Sharing Act (CISA), which would make it easier for private sector companies to share information about cybersecurity threats with government agencies. That bill is expected to be fast-tracked through Congress this spring.

The Center for Strategic and International Studies estimates that the total economic loss associated with cyber-attacks runs as high as $400 billion per year. That’s why Congress will likely act quickly to address the problem. While in committee, CISA received 12 amendments to help safeguard privacy. As the bill moves forward, organizations like the nonprofit Center for Democracy and Technology are calling for Congress to remove consumers’ personally identifiable information – in our world, HIPAA data – before it gets shared with government agencies. With those safeguards in place, it will be a bill worth passing.

But legislation alone won’t be a total solution, especially in healthcare.

The shocking truth is that only about 6 percent of healthcare data breaches to date (as reported on the Health and Human Services “Wall of Shame”) are the work of hackers. The other 94 percent are the result of simple human errors and transgressions, usually made by a provider’s own employees or business associates. The miscues run the gamut from snooping into celebrity health files and improperly disposing paper records to losing laptops containing unencrypted patient data. In short, a hospital or health system might congratulate itself on avoiding an Anthem-scale breach, only to get stung by smaller breaches that can still tarnish its reputation and cost millions to remedy.

The minimum regulatory fine for a HIPAA violation involving willful neglect is a staggering $1.5 million per violation – and most data breaches involve multiple HIPAA violations.

Sadly, too few healthcare organizations have a formal process for benchmarking the maturity of their information risk management (IRM) programs. (The FBI made this clear in an August 2014 alert.)

The healthcare field lags far behind most other industries in this critical benchmarking process. For example, most large retailers routinely use maturity models to test the efficacy of their supply chain management. The consulting firm Accenture even has a “green” maturity model to assess its IT clients’ environmental and sustainability programs.

Source: http://ift.tt/1EoG8KW



from cyber security caucus http://ift.tt/1ODSHde
via IFTTT

No comments:

Post a Comment