Getting Basics Correct Key to Avoiding Data Breaches

Intrusion identification systems, next generation firewalls, insider threat management software and data encryption will all help healthcare groups recognize danger, cut out security violations, and identify attacks quickly when they happen.

even with all of these measures it is still vitally important to address the security basics. The Office for Civil Rights Breach portal is filled with examples of HIPAA data breaches that have been caused by the simplest of errors and security errors.

Strong security begins the fundamentals. This was recently highlighted in a number of blog posts by the FTC. The posts are aimed at aiding businesses improve data security, prevent data violations and prevent regulatory fines. While the blog posts are not specifically targeted at healthcare groups, the topics covered are relevant to organizations of all sizes in all industry areas.

The series of blog posts are of particular interest to small and medium-sized healthcare groups that are finding data security tricky.

The blog posts are a perfect starting point to ensure all the security basics are addressed. They tackle 10 basic security principles the FTC looks at when examining complaint and data breaches. The blog posts use case studies from FTC cases and 60+ complaints and orders, including settlements reached with groups that have failed to implement proper security measures. The FTC has also listened to the obstacles faced by businesses when attempting to secure sensitive data and offers practical tips to address those obstacles.

While the FTC has taken action against groups, in the majority of cases investigations have been completed without any further action necessary. Companies may have experienced data violations, yet they got the fundamentals correct and had implemented reasonable data security measures. They may not have been adequate to avoid cyberattacks and other security attacks, but they were enough to prevent a fine.

The same principles apply to Office for Civil Rights investigations into HIPAA data breaches. OCR looks into all breaches of more than 500 records, yet only a tiny percentage of the 2,000+ data breaches made known to OCR have lead to a financial penalty. If you want to avoid a FTC or HIPAA fine, it is important to get the basics correct. Getting thefundamentals wrong can be very costly.

The FTC blog covers the following aareas of data security:

  1. Begin with security.
  2. Control access to data smartly.
  3. Make secure passwords and authentication a requirement
  4. Store sensitive personal data securely and protect it during transmission.
  5. Divide your network and monitor who’s trying to access it.
  6. Secure all remote access to your network.
  7. Apply sensible security practices when developing new products.
  8. Make sure your service providers put in place reasonable security measures.
  9. Implement procedures to keep your security current and address weaknesses that come up.
  10. Make paper, physical media and devices as safe as possible

The series of blog posts/articles have been collated into the FTC’s Start with Security brochure, which is a “nuts-and-bolts brochure that distills the lessons learned from FTC cases down to 10 manageable basics applicable to companies of any size.” The blog posts and brochure can be downloaded on this link.

HIPAA-covered groups should also subscribe to OCRs cybersecurity newsletter, which details new threats and further steps that covered groups should take to enhance security and keep ePHI secure. To subscribe for the newsletter, click here and be sure to view the Security Rule guidance material published by HHS.

Author: Maria Perez