The Risks of Exposure to Businesses Concerning Data Breaches and the Need for Cyber Security Policies
Every day we read about a new virus, a new hacking, or a new data breach. On May 8th, 2014 the United States Department of Health and Human Services announced another settlement for the unauthorized disclosure of electronic Personal Health Information (ePHI). This time, New York and Presbyterian Hospital (NYP) and Columbia University (CU) paid $4.8 million dollars after it was discovered that the ePHI of 6,800 individuals, including their patient status, vital signs, medications, and laboratory results had been disclosed. The ePHI had been held on their network. According to the HHS press release, the breach occurred when a CU employed physician who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
Fines are not the only risk when ePHI or other protected data is exposed. HIPAA regulations require notification of prominent media outlets if more than 500 individuals’ ePHI is exposed. When data breaches become public, the effects can be devastating. Think how many people did not shop at Target when their credit card information was stolen. USA Today estimated the loss at $61,000,000. And, as a result, Target’s CEO, President and Chairman Gregg Steinhafel stepped down following the data breach and other problems. [1]
So what does this mean for you and your business? Well, one possible answer is you need to do more, even if you think you are doing enough. Stotz Freidberg recently reported the results of a study that employees give their employers a below average grade on cyber security issues. [2] And, even senior leaders believe their own efforts are inadequate:
- Nearly half (45%) of senior management acknowledge that the C-suite and senior leadership themselves are responsible for protecting their companies against cyber-attacks.
- Yet, 52% of this same group indicated they are falling down on the job, rating corporate America’s ability to respond to cyber-threats at a “C” grade or lower.
- Rank-and-file workers differ in their opinions about cyber security accountability, with 54% of those respondents saying IT professionals are responsible for putting the right safeguards in place.
Given there is consensus among business leaders and their employees that businesses are not doing enough to protect from potential data breaches, perhaps it is time to assess whether your business is prepared. Goodell, DeVries, Leech & Dann’s forward thinking attorneys are at the forefront of helping our clients formulate a risk management strategy to protect our clients. We advise local businesses and health care providers about current developments to answer important questions and ensure that appropriate safeguards are protecting your bottom line. Has your business appointed a security official to oversee the use and maintenance of electronic data? Have you conducted a risk assessment to determine your business’s potential vulnerabilities and compliance with applicable regulations? Is there an insurance policy in place to cover any losses or fines you might incur as a result of a data breach? We can help develop policies to protect you and your business. By knowing where the problems come from, we can help you on the front end.
[1] http://www.forbes.com/sites/greatspeculations/2014/05/08/targets-ceo-steps-down-following-the-massive-data-breach-and-canadian-debacle/