Yesterday the PSALA held a HIPAA roundtable for its members. Upcoming changes to HITECH regulations are making law firms look more closely at how their clients’ and employees’ Personal Health Information (PHI) is safeguarded. These new regulations make a business directly liable for any breaches of PHI that it holds; this leads to a myriad of concerns including liability insurance, response plans in the event of a breach, and how to prevent breaches from happening in the first place.
David Leonhardt (our operations partner) was invited to join the panel to talk about Seitel Systems’ experience and what we’re seeing on the network security side of things – the all-important “prevention” piece of the puzzle. Since we work with law firms almost every day, we see what goes on “in the trenches” and can identify the common factors that leave law firms particularly vulnerable. This is a case where an ounce of prevention really is worth a pound of cure.
While David largely avoided becoming an arm-waving prognosticator of doomsday, he strongly emphasized the clichéd-but-still-valid point that it’s not a matter of if a business will experience an attempted hack, but when. The goal is to minimize exposure; know where the sensitive information lives and who has access, and put additional layers of protection where they will do the most good.
A lot of small businesses who don’t have the inclination or resources to plan ahead find that once a breach occurs they have to learn all they can and act very quickly, and spend many times more money cleaning up the problem than they would have on prevention. The most common time a business implements a secure network policy is the week after a breach. Of course, the better time to make a plan and invest in its implementation is before an attempted breach is made.
Recent sizeable hacks have been hitting the news more regularly and some of them have hit close to home (like Premera Blue Cross here in WA state), yet still a somewhat lackadaisical attitude persists toward security among small businesses. Perhaps it’s an attitude that is not helped by the popular stereotype that the people who attempt to steal PHI are mostly curious teenagers acting on their own, hacking into networks just to see if they can. The grim reality is that these are sophisticated criminals; they have complex tools reaching around the world with specific target organizations in mind, and their goal is to make as much off these targets as they can before the breach is discovered.
Even in light of that knowledge, the biggest obstacle that prevents many organizations from adopting effective network security policies is that strong policies inherently make business less efficient. It can be difficult to convince a senior partner at a law firm that it’s worth the extra inconvenience of having a complex password, or of encrypting any sensitive data that they have on their laptop. Even when they know what they should do or that they need to invest in a new firewall, it can be hard to make a decision to spend the money and so many business owners “decide not to decide” until it is too late.
In a regulatory environment where the business is now legally liable for any data breach, those aren’t decisions to be taken lightly. Even if your business could withstand the steep fines levied for a breach, or you have great insurance coverage, the damage to the business reputation might not be quite so durable.