Risk
10/18/2012
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Health Data Breach Response: Culture Change Needed

Seattle Children's Hospital CISO builds incident response team and culture of continuous improvement concerning data breaches.

7 E-Tools To Keep Patients Engaged
7 E-Tools To Keep Patients Engaged
(click image for larger view and for slideshow)
Someone has to be accountable for every part of managing a data breach incident, according to Cris Ewell, chief information security officer at Seattle Children's Hospital.

"It's bigger than privacy and security … it's about involving everyone in the organization at the highest level down to the help desk level [people] who are inputting calls into the system," he said. In a recent webinar hosted by ID Experts, Ewell said that in addition to accountability, there needs to be a shift in organizational culture to combat breaches.

Seattle Children's is a not-for-profit hospital and the academic research center for the University of Washington. It deals mainly with research, genetics and diseases, bioethics, and all avenues of pediatric care.

Ewell said the culture within his organization has changed since he implemented an incident response team. For instance, the employees at Seattle Children's have learned to expect breaches, no matter what they do to prevent them. "It's not a matter of if, but when," he said. The hospital operates under the assumption that "people will get in and there will be issues. You need to have that expectation that it's going to happen no matter what you do."

Ewell advises considering setting up outside help before an incident occurs. A small breach of 4,000 or 5,000 patients, he said, could be handled by the organization itself. But a larger breach might require additional help, such as call center professionals and interpreters. "You can do a lot in-house, but you have to have the ability to ad hoc within a short period of time for a large incident," he said.

Management should not be caught off guard by a breach, and should plan to be flexible enough to spend time rectifying problems, said Ewell. "Sometimes, we lack time and resources, and that's an element we see when you have a big or moderate incident," he said. "I've worked with small to large [breaches], and it's different depending on what resources you need, but you need to plan for that: incident response versus incident management. You want to get management pre-planning ahead of time and not just being active when you have an incident."

[ What about natural disasters? See Health IT Offers Safe Haven In A Storm. ]

Determining whether there is a breach in the first place can be one of the hardest tasks, said Ewell, followed by determining what the risk is to the institution and what patient data might have been compromised. "Part of our process is to determine that motive and intent," he said. Documentation of a breach is key. "With all breaches, tell the story: why did it happen and why did that person want that information."

"It helps me paint a picture and determine what the risks are," Ewell said. In order to meet the requirements of the Health Insurance Portability and Accountability Act, he said, an organization needs to determine if there was significant financial harm or harm of another kind done to the patient. It also needs to have documentation in place to show processes that were undertaken, and why it did or did not notify patients.

At Seattle Children's, Ewell and his team always circle back after an incident to see whether they can improve their processes, he said. "It's a continual loop of reviewing and assessing. That 60-day time limit: once you identify an incident, it gets spun up quickly and you have to make a determination of who to notify; that will keep going until the incident is done."

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
10/23/2012 | 12:05:03 AM
re: Health Data Breach Response: Culture Change Needed
Regardless of what measures you put in place, data breeches and unauthorized access will always occur in a large organization with so many people requiring access to data. Seattle ChildrenG«÷s Hospital is handling the situation correctly by fostering a culture that continuously provides feedback of breeches, and improving upon the weaknesses. Treating data breeches as an opportunity to improve current practices, rather than trying to cover them up, will only result in better policies and smaller scale breeches in the future. An organization must always be prepared for a large-scale data breech because of the resources required to stay within the 60 day time limit, regardless of how probable it may be because the possibility is always there and the result can be crippling.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.