- Public shaming of data security breaches
- Working together to fix the infosec problem
- Tools to automate data breach notification compliance
Read more below.
Since 2009, the U.S. Department of Health and Human Services (HHS) has been publishing data breaches involving PHI to its infamous “breach portal.” The list includes the name of each healthcare organization who has experienced a breach which affected 500 or more individuals and includes breach details for consumer awareness.
With insights into when the breach was reported, the number of individuals affected, what corrective measures were taken, what monetary fines were imposed, and the categorical nature of the incident (hacking/IT incidents, improper disposal of data, loss, theft, and unauthorized access/disclosure), the publication is intended to help individuals better understand the risks associated with sharing private information and lends accountability to affected organizations.
Recently, the Texas Legislature approved House Bill 3746, which centers around publishing organizations’ security data breach details on a state-run website. Much like the HHS website, the Texas attorney general will post data breach notifications on a public website, targeted for breaches involving at least 250 Texas residents.
Knowing consumers are averse to doing business with organizations who have experienced a breach of personal information, does this policy encourage organizations to notify when obliged or does it publicly shame covered entities for following breach notification obligations?
Building a Positive Security Culture
Many industry leaders say that it’s time to end the data breach stigma and work together to fix the infosec problem.
Tom Sullivan, Healthcare IT News editor-in-chief, writes that the industry must move beyond its current state of skewering hospitals for data breaches and other missteps. In his words, “Hold them accountable, slap hefty fines against negligent offenders, notify users of breaches, indeed. But the time has come to drop the finger-pointing and work together to focus on how healthcare as a community can fix the infosec problem.”
In the article from 2017, “Cybersecurity is hard, got it? But let’s stop blaming hospitals for every breach,” Michael Figuero, executive director of the Advanced Cyber Security Center (ACSC) states, “Cybersecurity is about facing adversity every single moment every single day. What we hear about is when [organizations] fail. We don’t hear about the success.”
Figuero advocates that the healthcare sector needs to work on coordinated disclosure. “We need to stop the negative conversations. Bad things happen in every stream of business. We need to learn from them instead of blaming people.” He recommends a three-pronged approach to building a new security baseline:
- Healthcare organizations must collaborate because having every one solve the same problems individually wastes time, financial and talent resources.
- Circulate information about cyberthreats and, ultimately, create a culture of sharing to advance collaboration and patient safety.
- Participate. With more collaboration and sharing, the final piece is to promote a community defense.
Fast forward to the present and a recent Help Net Security article outlines the importance of building a positive security culture. Author Sai Venkataraman states that our shame culture is the biggest roadblock to increasing security posture. He discusses how the guilt culture and shame is prevalent today.
Don’t Mess with Mister In-Between
When it comes to the privacy and security incident risk analysis, the lyrics to the classic song apply: You’ve got to accentuate the positive, Eliminate the negative, Latch on to the affirmative, Don’t mess with Mister In-Between.
Privacy professionals can turn to Radar, incident technology to streamline compliance with data breach notification regulations and get guidance that is backed by data. At the heart of Radar is the Radar Breach Guidance Engine™, which leverages our unique algorithm to drive automated risk assessment in a matter of seconds. What this does is:
- Determines if the incident qualifies as a breach
- Provides a jurisdiction-by-jurisdiction risk of harm analysis
- Alerts you of notification timelines for each jurisdiction
- Maps specific contact information for notification obligations for regulators
- Enables quick outreach with notification templates
It could well be that your incident is not actually a data breach, which could mean no need to notify. No need to notify means no posting on any “wall.”
To ensure Radar and you are up to date on the latest data breach regulations — including the Texas House Bill 3746 that takes effect September 1, 2021 — the team at RadarFirst uses multiple, proven legal research tools to monitor and maintain up-to-the minute information on data breach notification legislation, and regulations.
What’s more is we offer the Breach Law Library, which is a free library of hundreds of global privacy laws, rules, and regulations to stay current on existing and proposed legislation. Check it out for interactive maps, up-to-date overviews, incident risk assessment and data breach reporting requirements (as well as penalties for non-compliance), and details regarding proposed and recently passed legislation. Even if your organization feels the pain of a data breach (no judgment here!), you won’t feel the pain of incident response management.