Posted and filed under Compliance, Cybersecurity.

In June Advize Health’s very own Joshua McElroy participated in a panel hosted at WellCare in Tampa, FL. Joshua was in the company of three other subject matter experts from Schellman & Company, Bright House Networks, and Kroll who all spoke on the topic of “Incident Response Plan: From a Reactive to Proactive Approach”. The panel took an in depth look at the data breach problem that has been plaguing nearly every professional industry, and proposed solutions on how to actively prevent the loss of data.

Inspired by the panel to strengthen our own Incident Response Plans and to become an even more security-oriented organization, we’d like to share a few highlights from the event in order to encourage others to do the same. By understanding why breaches continue to occur, and the devastating financial losses that come as a result of data breaches – we hope that other healthcare organizations will follow us on a journey to awareness and proactivity.

In Verizon’s 2013 Data Breach Investigations Report (DBIR) it was reported that 62% of intrusions against businesses took at least two months to detect. What’s even more disturbing about this length of time is that in 92% of those case the company only discovered that a breach had occurred after being notified by a third party. These statistics emphasize the need for proactive approaches to data security. It has been proven that reactive responses are much too little, far too late.

Data breaches are extremely damaging to a company’s bottom line; as individual records can sell for hundreds of dollars. On average, the loss over 1,000 record batch can cost as much as a house, or several houses. Ponemon estimates that a loss of 1,000 records can cost between $52,000 and $870,000. When a company loses data with this high a price tag, they’re not just losing protected information, they’re losing profits, credibility, and most likely a lawsuit. Public breaches assault a company’s bottom line when you factor in the cost of customer and client notifications, compliance fines, and more.

It may come as a surprise that the root cause of most data breaches is internal process and human decision making, but this is the outcome revealed by several studies. Ultimately, data breaches are accidentally facilitated by employees of the compromised organization. Ignorance or disregard for policy has often the source, or at least the catalyst, of massive data breaches…and these breaches are far more common than you’d think. In July 2014, a study of company infrastructure across multiple sectors of business revealed that nearly 70% of businesses had suffered at least one security breach that resulted in the loss of protected information or disrupted the flow of interruption within the past 12 months.

These numbers are dismal. Alarming. Expensive. But – there is a way to prevent massive breaches by simply correcting a few internal practices. A few extra moments set aside each day to ensure that operations run according to policy can do wonders for a company’s bottom line and reputation as a reliable organization. Breach preparedness is a sector that is very alive and well, and it should be implemented into every process management plan. FireEye’s Breach Preparedness Study reported that 51% of companies don’t have a breach response plan that has been updated to reflect the changes undergone in the past 12 months, and that 67% of businesses rate their breach response intelligence as average/below the skill level of attackers.

The common theme in these statistics is the very existence (or lack thereof) of an Incident Response Plan. Breach Response Plans must be implemented, updated, and tested annually. Technology in every industry, especially healthcare, is constantly evolving – and with it are the attackers’ ability to circumvent security systems. Response Plans should be treated as though they are a true exercise, and involvement of those executing the plan is imperative to success. Tabletop exercises, and the assignment of responsibilities should be mandatory and specific. Clearly defining titles, roles, and responsibilities in the event of a breach will eliminate confusion that could stall response.

Stakeholders, decision makers, management, and the front lines of a business must all be involved in order to safeguard all aspects of operations and process flow. Participation from all hands should be required in security tests, drills, and exercises in order to keep employees trained and equipped to be both reactive and proactive.

Reactivity and proactivity cannot be mutually exclusive in these high stakes situations. Sometimes, being proactive will not be enough to prevent an attack from a highly skilled hacker – and reactivity will be the next best line of defense. Reactivity already has a proven track record of being insufficient against breaches – and so we as an industry must create plans, implement plans, and ensure their execution in order to maintain the integrity of our organizations and the data we strive to protect.