Handling healthcare security goes beyond just the technical side, as privacy and security compliance is critical to both data breach prevention and response plans. Experian Data Breach Resolution and the Ponemon Institute released a report today, titled Is Your Company Ready for a Big Data Breach?, that is composed of responses from mainly health and pharmaceutical privacy and compliance professionals as well as those from retail and financial services.
All 571 respondents have experienced at least one data breach and 52 percent have dealt with multiple breaches and most have 1,000+ employees in their organizations. They explained, among other items, their understanding of what happens as a result of a data breach, avoiding a material data breach and data breach preparedness plan. Here are some of the key findings:
- 76 percent of respondents expect to have a data breach that results in the loss of customers and/or business partners and 75 percent say it will result in negative public opinion
- Communications issues: Organizations can prevent negative opinion and customer trust losses by communicate properly with those patients who have been affected by a breach. However, a mere 21 percent of respondents have an internal communications team trained to assist in these matters. And 30 percent of respondents reported that their organizations train employees on how to respond to breach questions.
- Scope: 23 percent of respondents reported they can feel confident in determining the potential or actual harms to data breach victims and only 26 percent said they believe they can accurately decide which data breach victims were truly affected or harmed.
- Mobile: 78 percent allow BYOD, but only 61 percent test the devices before connecting to networks or enterprise systems.
- Lack of encryption and authentication: 44 percent see their organization as effective in user authentication and even fewer (43 percent) changes access rights soon after an employee leaves or is terminated. And 46 percent do not encrypt their data.
Missing links to data breach preparedness
Only 61 percent of respondents have a data breach plan on the ready and 67 percent have a dedicated breach response team in place. Experian and Ponemon found that are missing these items as part of forming these breach plans:
* Require mobile devices to be tested for security prior to connecting to networks or enterprise systems.
* Improve access and authentication practices to make sure that only the appropriate employees and contractors have access to its information systems and promptly change access rights of employees and contractors when they change jobs or are terminated.
* Encrypt sensitive or confidential personal and business information stored on computers, servers and other storage devices.
* Routinely test and inspect the security of applications and operating systems security.
* Monitor information systems for unusual or anomalous traffic that pose risks to the network and enterprise system.
* Establish a privacy and/or data protection awareness program for employees and other stakeholders who have access to sensitive or confidential personal information.
* Establish processes that will make it possible to determine who was affected by the breach so that there is no over-reporting or under-reporting the incident. Also, create processes that will restrict or limit disclosure of the incident prior to completing all required analyses and investigative steps.
* Improve the quality of communication with victims. This should include having an internal communications team trained to assist in responding to victims.
* Train customer service personnel on how to respond to questions about the data breach incident, verify that contact with each victim has been completed and have a process for receiving feedback from victims about the quality and responsiveness of the notification.