CISO: Don’t Focus Breach Response Too Narrowly

Dec. 7, 2012
Although containing and correcting a breach of personal health information can take considerable resources, one chief information security officer warns that it is a mistake to focus the response too narrowly. Speaking during an AHA Solutions webinar on Dec. 6, Michael Boyd, director of information security management for 32-hospital Providence Health & Services, said, “Don’t let the single incident define your security program, because it can lead to a dangerously narrow vision and identity.”

Although containing and correcting a breach of personal health information can take considerable resources, one chief information security officer warns that it is a mistake to focus the response too narrowly.

Speaking during an AHA Solutions webinar on Dec. 6, Michael Boyd, director of information security management for 32-hospital Providence Health & Services, said, “Don’t let the single incident define your security program, because it can lead to a dangerously narrow vision and identity.” Boyd, whose organization had to respond to several incidents of off-premises laptops, backup tapes, and disks being lost or stolen in 2006, added: “You don’t want your information security department to be seen as just the Office of Laptop Encryption.”

A Dec. 6 Healthcare Informatics story detailed the results of a study by the Ponemon Institute about the frequency, causes and cost of data breaches. Among other things, the study found that 45 percent of organizations have experienced more than five data breaches during the past two years.

Describing the impact of the Providence breach, which occurred before he worked there, Boyd estimated it cost the organization somewhere between $7 million and $27 million, including civil litigation. It also had to agree to a three-year corrective action plan with the HHS Office of Civil Rights. If you find yourself in that situation, he suggests that during negotiation you should keep it focused on fixing the problem where it exists. “The broader you make it, the more difficult it is to comply.”

Of course, you must ensure the organization does not fail the corrective action plan or you risk getting fined. You have to make sure you don’t expose yourself to another breach in that area

Boyd says CISOs can take advantage of the attention a breach brings to ask: how do we tackle the rest of security? “You can build credibility by being the voice of reason,” he said.

He suggests regularly sharing concerns about new technologies such as cloud computing and BYOD by combining external examples with internal experience. As an example, he said, he used a 2011 event at Sutter Health involving the theft of a desktop workstation holding unencrypted patient records to push for acceleration of a Providence desktop encryption program.

You can replace “fear, uncertainty and doubt,” he said, with nuance, fact and confidence. “Nuance is how the facts relate to your organization specifically, which provides confidence that your recommendation or response is appropriate.”

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?