DataBreaches.Net

Putting data breach genie back in bottle? Good luck

Posted on by Dissent

Over on FierceHealthIT, Anne Zieger writes:

[…]

The problem is, nobody can put the data breach genie back in the bottle once it’s gotten out. Once data has been compromised, even a company with the billions in revenue enjoyed by TJX can make consumers feel completely insecure. And paying a huge settlement won’t do a thing to fix the problems that caused the breach (whatever they may have been in TJX’s case).

No, I think the right way to achieve equity in cases like this may very well be court-ordered forensic examinations of the defendant’s IT infrastructure and a thorough analysis of what went wrong. Then, that company would be required to make the repairs suggested, or at least comparable ones by other consultants of its choice. No paying off people or apologizing to make it go away.

As for healthcare organizations, one could argue that they have even higher obligations, given the human cost of such breaches extends beyond the financial. Of course HIPAA does cover this situation, but given how seldom it’s enforced, it appears other procedures may be needed specifically for data breach situations.

The bottom line is that we still hear far too often about data breaches in hospitals and clinics, ones that weren’t exactly done by master criminals. Let’s at least raise the bar. If we don’t, the public isn’t going to trust health institutions at all, and that could torpedo countless plans. We can’t afford the luxury of “I’m sorry” any more.

Forensic examinations may help prevent future problems going forward, but they are cold comfort to those whose privacy has already been breached. How does a clinic mitigate harm to a patient whose pharmacy records or personal health information was exposed on the web for all to see? Saying that there is no real way to put the genie back in the bottle may serve as a convenient excuse for those who have no idea how to mitigate the harm they might have avoided had they better security and privacy protections in place. Saying “you can’t put a price on something” should not serve as an excuse for not putting any price on it.