Health care organizations have been getting hit hard lately with data breaches. And, Tricare, the insurance provider for military personnel, has taken the lead as the unfortunate poster child.
Some 4.9 million Tricare beneficiaries' personally identifiable information (PII) was lost when unencrypted backup tapes were stolen from the parked car of an employee of a business partner, Science Applications International Corp. Now, the organization is facing a $4.9 billion class-action lawsuit in which attorneys are seeking $1,000 in damages for each victim.
Security experts believe that, by now, robust risk management programs simply should be a core pillar of basic business planning, rather than an obstacle to it. Yet, as we learned at an SC Magazine Health Care Roundtable late last year, and during follow-up interviews with practitioners and experts very recently, such best practice is far from the norm.
For one, working with life-saving equipment companies is tough. Worried about the ongoing maintenance of security configurations and vulnerabilities on these tools, given that they're now connected to the entire corporate network, many CISOs are trying to use contracts to make vendors beholden to their service needs. Unfortunately, we've learned that getting them to sign such agreements can pose huge hurdles.
Some security pros have been able to make a bit of headway by ensuring they're seated at the negotiation table early on in the process, and that all providers vying for their business fill out security questionnaires that enable them to understand the soundness of the security practices and customer service. Depending on the answers, the competing vendor may get edged out by other, more capable companies. The questionnaire sends this message and sets the ultimate winner up to understand that there will be security requirements they'll need to meet cited in their contracts.
Such processes also apply to business partners. If they show security failings in their policies, processes or technologies, these health care providers move on to someone else who shows strength.
Perhaps such a process would have helped to prevent the data exposure experienced by Tricare. No doubt, encryption of the backup tapes could have done the trick, too. Security awareness training, as well, might have helped, along with the establishment of and adherence to tape handling practices.
As you learn from this month's article (on page 32), which assesses the issues raised by Roundtable attendees late last year and now, using standards to implement a robust governance, risk and compliance management plan is paramount. Even more important is figuring out the best practices and technology implementations to maintain for your organization so that you stay just that much safer, that much more ahead of your counterparts.