News of the data breach suffered by Anthem continues to dominate the news (here, here, and here for example). And, further raising the stakes, class action lawsuits from individuals whose information has potentially been compromised are beginning to roll into courthouses across the country (California, Alabama, Indiana, Georgia, California (again), and California (again)). Because health care data is such a hot commodity on the black market, hackers often target health care providers and other entities who have health care data. Data breaches aimed at health care information were way up last year, and attempted data breaches are only expected to increase.
Encryption, which Anthem didn’t have according to news reports, goes a long way toward securing this sensitive data. However, even with encryption, it is worthwhile for providers large and small to review existing data security/breach response policies or institute new ones targeted at current technologies. Considerations include:
- Organize your data network and know what information you have and where it is (including technologies like cloud computing, printer/copiers, and employees’ mobile devices);
- Update encryption, password, and remote access policies and ensure they are followed;
- Perform a risk assessment (and document it);
- Create a protocol to monitor unauthorized attempts to access data;
- Develop a plan to respond to a data breach, including technical, legal, and business continuation considerations;
- Plan for disclosures to employees, shareholders, individuals effected, media, and/or federal regulators as required
- Review state laws that may apply for additional reporting or safeguard requirements
For additional discussion, you can access recordings of our two-part webinar series on data security planning and response for healthcare providers, presented by Tom Zeno and Emily Root, along with Thomas Hibarger (Managing Director of Stroz Friedberg), and Justin Root, Special Agent – Cyber Crimes with the Office of Ohio Attorney General