By Jack Anderson
June 23, 2013
This survey reveals a lack of attention to written policies and procedures can lead to a HIPAA data breach. CEs must have a process in place to manage their BAs. How else will they “know where all of its data is going and how it is being managed, particularly if it goes to a third party.” The nightmare scenario they paint is:
“It’s the phone call every CIO fears. It’s 3 a.m., and you’re notified that there’s been a major security breach and data loss at your company. Millions of customer records have been compromised. What’s worse, the breach occurred at one of the organization’s data management vendors, and there’s a realization that 1) you and your company do not know the level of security protocols the vendor has in place, and 2) your company bears full responsibility, under the law and in the court of public opinion.”
BA Tracker is a cost effective and efficient method of managing your BAs. Profiles of your BAs are kept on a private and secure portal that can be accessed by authorized personnel. Surveys ask the BAs to define how they access PHI, how they store it, how they process it and most importantly how they protect it. Learn more at www.compliancehelper.com/batracker
Here is the article:
2013 IT Security and Privacy Survey
Knowing How – and Where – Your Confidential Data Is Classified and Managed: A Survey on the Current State of IT Security and Privacy Policies and Practices http://www.protiviti.com/ITsecuritysurvey
It’s the phone call every CIO fears. It’s 3 a.m., and you’re notified that there’s been a major security breach and data loss at your company. Millions of customer records have been compromised. What’s worse, the breach occurred at one of the organization’s data management vendors, and there’s a realization that 1) you and your company do not know the level of security protocols the vendor has in place, and 2) your company bears full responsibility, under the law and in the court of public opinion.
Fortunately, many CIOs, IT departments, and executive management and information management teams are addressing these issues every day. The results of Protiviti’s second annual IT Security and Privacy Survey indicate a number of positive trends, as well as critical areas for improvement:
Information management as strategic priority – There is an encouraging rise in the involvement of the CIO in activities including but not limited to data governance oversight and execution, along with crisis communications. More CIOs are in place today within companies, reflecting a recognition that data is a critically important asset that must be managed differently and even more effectively than other assets.
Lack of key data policies – One in four companies do not have a written information security policy (WISP) and one in three lack a data encryption policy. These are critical gaps when considering the legal implications of such omissions.
Less-than-ideal data retention and storage practices – The stream of data companies are managing is increasing almost daily, yet few address this volume with a detailed and comprehensive classification system. Many, in fact, treat all of their data the same, rather than classifying it appropriately.
Unprepared for a crisis – In light of the many well-publicized data breach incidents and numerous data breach and privacy laws, a surprisingly high number of companies are not adequately prepared to respond to such a crisis.
These findings, other results from this study and our analysis are included in our report.