- The FTC has started a blog series to help organizations better understand the agency’s approach to data security, and to ensure that entities in numerous sectors can create strong data prevention measures.
Starting with the FTC’s 10 Start with Security Principles, the blogs will “take a deeper dive into steps companies can take to safeguard sensitive data in their possession,” FTC Bureau of Consumer Protection Acting Director Thomas B. Pahl wrote in the first post.
“Another important source of our Stick with Security examples are the experiences of businesses from across the country,” Pahl explained. “We’ve listened to the day-to-day challenges you face in protecting sensitive information and have learned from the practical approaches you’re taking to address data security challenges.”
The second blog post reviewed how organizations can sensibly control data access.
First, entities should ensure that only individuals who need access to data actually have access to it. This could reasonable access control could include simply locking a file cabinet, or ensure that only certain personnel are able to access a database containing sensitive information.
“Not everyone on your staff needs unrestricted access to all confidential information you keep,” Pahl maintained. “The better practice is to put sensible controls in place to allow access to employees who need it to do their jobs, while keeping others out.”
Limiting administrative access will also be essential in data breach prevention, the blog post stated. For example, a company should not have the same login credentials for all employees.
“The login has administrative rights that enable designated IT staffers to make system-wide changes,” Pahl suggested. “But that same login is used by the company’s receptionist, a sales assistant, and a summer intern. The wiser approach is for the company to require different logins with only those privileges necessary for that employee to do his or her job.”
Healthcare organizations should already be implementing many of these approaches. HIPAA regulations require the “minimum necessary” approach, which states that covered entities must “make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”
The first FTC blog post discussed how the agency will occasionally investigate data security issues that have occurred within companies, but some cases are closed without law enforcement. Effective staff training procedures, along with policies to keep sensitive information secure, address vulnerabilities, and respond quickly to new threats are all potential reasons law enforcement might not be necessary, according to Pahl.
There are also often certain details involved in cases that might not be released to the public. For example, even if a data breach took place, the data may have been encrypted. This is a factor that “substantially reduces the risk of consumer injury,” Pahl stressed.
“Sometimes a company’s practices may raise initial concerns, but there are other factors that suggest law enforcement wouldn’t be in the public interest,” he continued. “For example, in some cases, a small business may have collected small amounts of non-sensitive information. In instances like that, if a breach occurs, we’re less likely to spend limited resources to investigate.”
The FTC is also not always the right agency to conduct an investigation into a potential security incident. HHS, Consumer Financial Protection Bureau, Federal Communications Commission, and National Highway Traffic Safety Administration could potentially be better suited, depending on the situation.
Theoretical risk to data can also affect whether or not FTC launches an investigation.
“For example, there may be a vulnerability in a mobile device that would take highly sophisticated tools to exploit, and even then, data could be compromised only if the hacker had the consumer’s phone in hand. If that’s the case, we’re more likely to pass on an investigation than proceed,” Pahl wrote.
Healthcare organizations could potentially be affected by FTC investigations into data security issues. McGuireWoods partner Nathan Kottkamp told HealthITSecurity.com in a previous interview that the compliance issues can be confusing.
“The question is, are they really going to enforce it or should they be deferring?” Kottkamp asked. “Do they have authority? Probably. Should they have authority if the OCR under HHS expressly has the authority?”
Covered entities and their business associates should ensure they are adhering to HIPAA requirements in terms of PHI security, and are properly documenting their policies and procedures. From there, it should be easier to show investigating agencies – whether OCR or FTC – that the proper measures were in place, even if a data security incident occurs.