paulmudgett.com

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

Tags: breach, HIPAA, incident response, information security, PHI, security awareness, security mistakes

This entry was posted on Tuesday, January 19th, 2010 at 10:39 am and is filed under Business and Security, National and State Privacy/Security Law, Should Have Known Better. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.