When Security Breaches Don't Have to Be Reported

By: Arieanna Schweber | 2/25/2015

Earlier this year, we talked about the distinction between a security incident and a data breach and that one does not have to trigger the other. Data from the OCR indicates that 60% of the large data breaches could have been prevented by encrypting laptops and mobile devices, at the very least. In other words, the theft or loss of these devices need not have led to the breach of data. If data is protected - by encryption, at the very least - healthcare organizations can ensure patient data is safeguarded.

We recently contributed to a whitepaper created by the Institute for Health Technology Transformation (iHT²), When Security Breaches Don’t Have to be Reported, which outlines the issues of electronic health records, mobile devices and a mobile workforce as a challenge to securing PHI. The whitepaper shows how, despite an increase in the number of attack vectors, it is possible to secure healthcare data on mobile devices and to prove compliance, even if these devices are lost or missing.

The new whitepaper will take you through the regulatory environment affecting healthcare organizations, policies and procedures, employee security awareness and lastly security technology. While encryption is often touted as the best solution for data protection, it is really just the first step, and not an infallible one. Most fulldisk encryption programs are vulnerable to cold boot attacks and all software-based encryption systems are vulnerable to various side channel attacks. Encryption can be bolstered by a persistent security and management solution. 

In the whitepaper, we discuss how endpoint management and security can play a role in protecting healthcare data in the event a device is lost or stolen. Good endpoint security solutions, such as Absolute DDS, offer key security functions in governance, risk management and compliance (GRC). Our solution includes an audit trail to show who viewed the data, whether it has been changed, where it resides, and how it’s protected (including the status of encryption); if files are deleted, the audit trail can prove it. This is all supported by persistence technology, which cannot be removed.

The end result of robust endpoint security is that the loss of a device does not need to lead to a costly data breach. If you can prove that you have mitigated the security risk enough, which is supported by a layered security approach and audit trails, you don’t need to report the incident. Continue reading this whitepaper about when you can avoid reporting data breaches.

We invite you to continue the discussion with another healthcare whitepaper we recently released. In The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices, we look at the issues of balancing a mobile workforce and connected devices against an intricate regulatory environment. This whitepaper details some of the most costly data breaches that resulted from lost or stolen devices.

Financial Services