Skip to content Skip to navigation

CISO: Don’t Focus Breach Response Too Narrowly

December 7, 2012
by David Raths
| Reprints
Providence exec details experience with corrective action plan

Although containing and correcting a breach of personal health information can take considerable resources, one chief information security officer warns that it is a mistake to focus the response too narrowly.

Speaking during an AHA Solutions webinar on Dec. 6, Michael Boyd, director of information security management for 32-hospital Providence Health & Services, said, “Don’t let the single incident define your security program, because it can lead to a dangerously narrow vision and identity.” Boyd, whose organization had to respond to several incidents of off-premises laptops, backup tapes, and disks being lost or stolen in 2006, added: “You don’t want your information security department to be seen as just the Office of Laptop Encryption.”

A Dec. 6 Healthcare Informatics story detailed the results of a study by the Ponemon Institute about the frequency, causes and cost of data breaches. Among other things, the study found that 45 percent of organizations have experienced more than five data breaches during the past two years.

Describing the impact of the Providence breach, which occurred before he worked there, Boyd estimated it cost the organization somewhere between $7 million and $27 million, including civil litigation. It also had to agree to a three-year corrective action plan with the HHS Office of Civil Rights. If you find yourself in that situation, he suggests that during negotiation you should keep it focused on fixing the problem where it exists. “The broader you make it, the more difficult it is to comply.”

Of course, you must ensure the organization does not fail the corrective action plan or you risk getting fined. You have to make sure you don’t expose yourself to another breach in that area

Boyd says CISOs can take advantage of the attention a breach brings to ask: how do we tackle the rest of security? “You can build credibility by being the voice of reason,” he said.

He suggests regularly sharing concerns about new technologies such as cloud computing and BYOD by combining external examples with internal experience. As an example, he said, he used a 2011 event at Sutter Health involving the theft of a desktop workstation holding unencrypted patient records to push for acceleration of a Providence desktop encryption program.

You can replace “fear, uncertainty and doubt,” he said, with nuance, fact and confidence. “Nuance is how the facts relate to your organization specifically, which provides confidence that your recommendation or response is appropriate.”