Govinfosecurity.com
Originally published February 8, 2012
What can be learned from the more than 390 major breaches affecting more than 19 million individuals that have been reported as a result of the federal HIPAA breach notification rule? Plenty, breach prevention experts say.
Here are eight key breach-prevention insights from information security thought-leaders:
1. Don't Forget Risk Assessments
The details of the biggest breaches last year "make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breaches," says Dan Berger, CEO at Redspin.
2. Encrypt Mobile Devices, Media
"Even though encryption is what's referred to as an addressable standard in the HIPAA security rule - which means it's not actually mandated in all cases - I don't see any reason why information shouldn't be encrypted in all cases on portable media and devices," says Robert Belfort, partner at the law firm Manatt, Phelps & Phillips LLP. "That's one step that organizations can take that can address a very significant share of the types of breaches that are occurring."
3. Beef Up Training
"People have to be trained to understand the policies of the organization, and they have to be trained about common-sense safeguards that they can follow to avoid breaches or the misuse of information," Szabo stresses.
4. Conduct Internal Audits
In addition to training, an important step toward addressing internal breach threats is to conduct audits of records access, Belfort says.
5. Monitor Business Associates
About 22 percent of major breaches, including many of the largest incidents, have involved business associates. As a result, it's essential to work with vendor partners to ensure they're taking adequate breach prevention steps.
In the Resources section of this blog, there is a White Paper on Preventing a Data Breach and Protecting Health Records – One Year Later: Are You Vulnerable to a Breach? by Kaufman, Rossin & Co. to augment these security issues.