Integrated Investigation Teams Can Minimize Security Risks

Data security is a big problem for the health care industry – and it’s going to get worse. In 2013, there were 267 medical/healthcare data breaches affecting some 4.7 million records, according to the non-profit Identity Theft Resource Center.


Data security is a big problem for the health care industry–and it’s going to get worse.

In 2013, there were 267 medical/health care data breaches affecting some 4.7 million records, according to the non-profit Identity Theft Resource Center.

What’s ahead? Experian’s “2014 Data Breach Industry Forecast” reported that the health care industry will be the most susceptible to publicly disclosed data breaches  this year, in part because the size of the industry--Americans spent $9,210 per capita on healthcare in 2013--makes it so vulnerable.

To deal with the security challenge, health care organizations need to get better at handling security incidents.

Also See: HIMSS Survey Assesses State of Provider Data Security

The University of Alabama at Birmingham Health System (UAB), for one, is addressing the problem with an integrated investigative team, which studies security incidents and undertakes corrective action.

Patricia Pritchett, UAB’s health services general counsel, is actively involved in making sure the provider meets HIPAA security and privacy guidelines. At this week’s HIMSS 14 conference in Orlando, she, along with Brian Evans, a security expert at Tom Walsh Consulting who, for a time, served as UAB’s interim information security officer, discussed what it takes to put together an integrated investigative team.

They said an organization looking to build such a team should start by:

• Establishing the group as a service function responsible for receiving, reviewing and responding to breaches.

• Defining roles and responsibilities.

• Assigning levels of authority for lead and supporting roles to make decisions and to take the necessary steps to contain, mitigate and resolve Incidents.

• Designating response coordinators.

But finding the right people isn’t easy.  “It’s hard to know who your team will be,” Pritchett said.

There needs to be a core group, drawn up from legal and other key services, and the team needs to be able to pull in people with other specialties as necessary. And, Pritchett and Evans said, the completed team needs a good mix -- people with both personal and technical skills.

UAB looks for people with integrity who have superior verbal and written communication, diplomacy, problem-solving and time-management skills. It also wants people with backgrounds in programming, systems and applications security, security controls and safeguards, risk analysis and incident handling.

Once the group is assembled, they said, members should be assigned to either one of two groups, the investigation unit or the review unit.

The investigation group, among other things, examines the incident, documents risk assessment and oversees activities related to implementing, maintaining and adhering to the organization’s standards for accessing protected health information.

The review team, on the other hand, is responsible for looking over the findings of the investigative team, requesting additional information or clarification as needed, and reviewing proposed action and remedial items

In responding to an incident, according to Pritchett and Evans, there are four main objectives: to detect and analyze threats, to contain and eradicate incidents, to help the organization recover, and to undertake post-incident review.

Detection and analysis includes determining what happened, administering triage, assessing the nature of the incident, and deciding how to respond. Containment and eradication varies depending on the incident, but the goals are the same. Stop the threat from getting worse and eliminate it by identifying all hosts that could be affected. Then remove the threat, patch security holes, and restore systems. 

When that’s completed, of course, there are post-incident activities, which include figuring out where systems were vulnerable, what lessons can be learned, developing a  processes to harden the systems, and communicating to the rest of the organization what happened and what steps are being taken.

“At the end of the day, you want a good story to tell,” Pritchett said.

More for you

Loading data for hdm_tax_topic #reducing-cost...