Companies must know what they don’t know

The EU Information CommissionerÔÇÖs Office (ICO) has stated with its recent fine for Sony of ┬ú250,000 that lack of knowledge of a data breach is no longer an adequate defense.┬á This fine was given not because of actions Sony took on breaches they knew about but on their lack of knowledge of breaches that the EU deems they should have known about due to the technical knowledge and resources available at Sony.

To claim that you cannot act on vulnerabilities that you do not know of has been a common defense and one that seems rational and logical to most companies, but the ICO’s recent fine suggests that it is unlikely to work in the future.┬á This sort of thinking would be an inhibitor to security initiatives because once you know about a problem, you have to make a determination as to the risk it presents and how you will deal with it.

So how do you know what you donÔÇÖt know?┬á This has been a question for centuries but in this case, the expectation is that companies will perform activities such as regular risk assessments based on data collected from vulnerability scans to identify security controls that can reduce risks to an acceptable level and that they will monitor equipment to detect anomalous behavior.┬á The tools to perform these activities are easily available and various open source options can be implemented at a low cost to the company.┬á However, it will take someone experienced with risk assessment and the tools used to make the data obtained from them actionable.┬á Consider using a security consultant if this is not a skill your company has in-house.

HHS begins fining for lower impact data breaches

On January 2, 2013, the Department of Health and Human Services (HHS) fined the Hospice of North Idaho $50,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA).┬á The primary violation was the loss of an unencrypted laptop containing Personal Health Information (PHI) for 441 patients but the fine included non-compliance areas such as the hospiceÔÇÖs failure to perform a risk analysis and the lack of mobile device security policies and procedures.┬á This is the first HIPAA fine issued for a breach of PHI from less than 500 patients.

HHS Office of Civil Rights Director, Leon Rodriguez, made it clear in his statement on the breach that HHS will hold businesses responsible for protecting PHI irrespective of their size.┬á ÔÇ£This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patientsÔÇÖ health information.ÔÇØ

This comes as shocking news to some who assumed that HHS would not take action on smaller breaches which comprise the majority of health care breaches.  According to the December 2012 U.S. Healthcare Data Breach Trends report, there have been only 500 breaches reported to HHS over the last 3 years involving more than 500 patients but the same period has seen 57,000 breaches involving less than 500 patients.  These businesses should be prepared not only for the cost of notification, lost customers, breach response and remediation, but also HHS fines in the years ahead.