Data Breaches Often Have Simple Source, Fix

A health care organization can have hundreds of threats to protected health information each day and not know it, said Sadik Al-Abdulla, senior manager in the security practice at CDW Corp., during a session at HIMSS11.

A recent client, for instance, had 500 breaches a week of employee records because the human resources department was updating the records and transmitting information to the health insurer in an unsecured manner.

“So, they were breaching their own employees’ data on weekly basis,” Al-Abdulla said.

Malicious behavior accounts for only about 12%  of breaches. The rest are mostly due to accidents, clueless behavior and technological glitches that are easily fixed, he noted. The first step to solving the problem of non-malicious breaches, he advised, is to identify data stakeholders who feel personal ownership of the information and want it protected.

Next, establish a baseline of where data is, how it’s moving and where it is going. Once that’s known, you’ll find that 30% of breaches are small issues or glitches that can be fixed fast. The next 30% of breaches are tied to a handful of broken processes, also easily fixable, such as teaching users to click the encryption link before sending. Al-Abdulla also suggested implementing technology that automatically notifies users at the moment a mistake is made, such as sending a message that the email just sent contained PHI and was blocked. “When you do that, people will change,” he said.

So, right off the bat, 60% of breaches can be cut without affecting employee work practices, Al-Abdulla said. The remaining 40% of non-malicious breaches primarily are accidents and many of these can be prevented with streamlined, effective communication to data users.

Instead of requiring employees to read and sign a long, all-encompassing document on privacy and security – which they won’t read but will sign – Al-Abdulla advised writing a half-page primer that explains what PHI is and how to protect it. The primer takes minute to read, “and each of them can tell their peers.”

This story was reprinted with permission from Health Data Management.

For reprint and licensing requests for this article, click here.
Analytics Security risk Data and information management Policy adminstration Data security Core systems
MORE FROM DIGITAL INSURANCE