Kusserow on Compliance: Tips for protecting data against attacks and breaches

The media is filled with stories of data breaches in all business sectors. Larger organizations are not immune. In fact, the larger the organization, the better the target appears for attackers. The largest breaches have been with the Federal Government. In the health care sector, data breaches involving Protected Health Information (PHI) have been rising at a great rate. Patient records are very valuable and are sold on a per record basis. Providers are also considered “soft targets”, especially by those engaged in “Ransomeware” extortions; and many pay the demands to regain access to their patient records.

No one seems immune to these types of attacks. One can hardly forget that one of the biggest successful penetration attacks on data was with the U.S. Office of Personnel Management, where sensitive information was compromised, including the Social Security Numbers, of 21.5 million individuals, including 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Even law firms that provide advice on data security to their clients have been victimized and among those with the weakest controls to protect their data. Survey reporting by Marsh found four out of five of the largest 100 law firms had been hacked. As is common in any business arena, they noted that many don’t know they have been hacked. The following are best practice tips to assist in preventing and/or mitigating attacks and breaches.

  1. Have a dedicated information security officer that has the responsibility as well as the authority to adopt, implement, and enforce adequate security protocols, including ensuring (a) the IT infrastructure and data creation, transmission, and storage protect data from unauthorized disclosure; (b) ensuring legitimacy of data received, source and content; and (c) accessible for auditing and monitoring.
  1. Develop and implement data security policies for:
  • all external drives and mobile devices (including personally owned)
  • location and remote-erase options in case of loss or theft
  • data backup
  • installation of firewalls
  • data encryption
  • password protection
  • how to respond to any data breach
  • disaster recovery
  • records retention
  • business continuity in case of loss to data
  • uses of social media
  • vendors relation requirements
  • use of free public wi-fi
  1. Institute safeguards and device management to protect information, such as encryption and passwords for all devices (USB drives, cell phones, tablets)
  1. Engage in ongoing monitoring to ensure that policies and procedures are being properly followed; and periodic outside auditing of the systems.
  1. Train all covered persons on existing policies and procedure relating to data protection, and report any suspected unusual emails. This is important as most successful attacks are the result of email users opening attachments that give entry to a wrongdoer. Users are often the ones that detect early irregularities occurring as result of an attack and the quicker they report it, the better it is to contain the attack.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.