Breach Aftermath: Lessons Learned

CEO Offers Practical Advice Based on Experience

By , February 20, 2012.
Breach Aftermath: Lessons Learned

F

See Also: Advances in Application Security: Run-time Application Self Protection

ollowing a breach, take responsibility for your actions as an organization and as a leadership team. That's an important lesson learned by the CEO of an organization that experienced a breach last year caused by the theft of an unencrypted laptop.

"I, especially, as a CEO, took individual responsibility for not providing the leadership and not providing the policies, and not providing the tools to those on the front line who were just trying to do their jobs and just trying to do the right thing," says Micky Tripathi of The Massachusetts eHealth Collaborative, a not-for-profit consultancy that experienced a breach last year.

Tripathi spelled out in a recent blog the details of the organization's breach, which involved the theft of an unencrypted laptop from an employee's car, The breach, which affected about 1,000 patients of the collaborative's physician group practice clients, cost almost $300,000 to resolve.

Tripathi outlines in an in-depth interview with HealthcareInfoSecurity's Howard Anderson (transcript below) eight important lessons learned. Among them are:

  • If you experience a breach, "treat it as your most high-priority project." Tripathi held daily meetings with a crisis team to coordinate breach resolution efforts.
  • Do not underestimate how difficult it is to respond to and remediate a breach.
  • Assume all portable devices contain sensitive information and take action to protect it, including the use of encryption.

In the wake of the breach, Massachusetts eHealth Collaborative broadened its use of encryption and trained all staff on how to use the technology. It now uses whole disk encryption of laptops, file-level encryption for passing files to and from its clients, and secure e-mail.

Tripathi is president and CEO of the collaborative, which is supported by 34 non-profit healthcare organizations in Massachusetts. The organization specializes in advising physician group practices and others about the implementation of electronic health records. Tripathi also chairs the Health Information Exchange Workgroup of the federal Health IT Policy Committee, which makes recommendations about health information exchange to the Office of the National Coordinator for Health Information Technology in the U.S. Department of Health and Human Services. Before joining the collaborative, Tripathi was a manager at the Boston Consulting Group and served as founding president and CEO of the Indiana Health Information Exchange. He has a Ph.D. in political science from Massachusetts Institute of Technology.

HOWARD ANDERSON: For starters, can you please briefly describe your organization for us?

MICKY TRIPATHI: The Massachusetts eHealth Collaborative is a non-profit organization that was founded in 2004 to facilitate the implementation and adoption of electronic health records and health information technologies primarily in the ambulatory part of the healthcare delivery market.

Data Breach Details

ANDERSON: You recently wrote a lengthy blog describing your organization's experience with a breach, offering valuable lessons learned. So for starters, please summarize the details of the incident briefly. It involved the theft of a laptop, right?

TRIPATHI: Yes it did. The incident happened when one of our employees had a laptop with them while they were out in the field. [The employee] stopped to have an appointment, left the laptop in their automobile, in a briefcase, and the briefcase was stolen. We believe and have every indication it was just a random, incidental theft. The laptop wasn't exposed, just a briefcase was exposed. A window was broken and the briefcase taken with all of its contents. As it turned out, the laptop had some patient demographic information on it, which thus would constitute a breach of PHI [protected health information] by federal standards and PII, which is personally identifiable information, by Massachusetts state standards.

Lessons Learned

ANDERSON: In your blog you offered a summary of eight lessons learned from the experience. Can you go over those quickly for us now, please, so people can learn from your experience?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FIDO Specs: Moving Beyond Passwords

Security experts see the FIDO Alliance's release of two universal authentication specifications as...

Latest Tweets and Mentions

ARTICLE FIDO Specs: Moving Beyond Passwords

Security experts see the FIDO Alliance's release of two universal authentication specifications as...

The ISMG Network