The Changing Landscape of eDiscovery Security

The Changing Landscape of eDiscovery Security

Legal discovery has undergone a transition since implementing digital information storage. Discovery has shifted from digging through file cabinets full of documents to digging through online databases and electronic systems that house information, streamlining the process and facilitating better information transparency for all parties involved.

But despite the widespread implementation of in-house database security, many firms still fail to meet basic security standards during the eDiscovery process.

Challenges of eDiscovery

eDiscovery is often a transfer of large quantities of data from one party to another with methods that lack the same security regulations as normal systems. According to Jeff Kerr and John Mays, the founding partners of legal firm Mays & Kerr, the information transition period of eDiscovery is when confidential data is most vulnerable:

“In eDiscovery matters, the client is often asked to turn over a large amount of its raw data, either to counsel or to a vendor. Transferring that data creates risk that it can be breached during transit, and storage in multiple locations creates more attack surfaces,” Mays said.

photo-1437422061949-f6efbde0a471Unfortunately, legal firms must comply with these eDiscovery practices, regardless of whether each party involved is taking necessary security precautions. However, the increased incidence of digital data discovery and sharing will help create new policies to govern the flow of sensitive information.

“There is a connection between discovery and information governance, and it fits into security with respect to managing the number of times sensitive data is duplicated. You likely want to have that information backed up, but additional copies may increase risk,” said Mays.

Building Better Security

Legal firms are no strangers to cybersecurity breaches. Information losses can occur at every point of the information chain, creating a need for enhanced security standards that reflect the needs of an electronic legal landscape.

Secure passwords, firewalls, encryption and malware management are all essential to maintain for a protected digital environment. But being aware of the issues is not enough—legal firms need dedicated staff members who understand the challenges of IT security and the best way to deploy strategies to keep their data secure. This is true for in-house security, but also applies to areas of heightened data vulnerability, such as eDiscovery.

Until legal firms can guarantee a secure information transfer process during eDiscovery practices, the risk of cyberattacks and compromised data will be a notable concern.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw Firms and Cyber Attacks iBridge LLC

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Underestimating the threat of security and data breaches may leave patients more at peril after they’ve left the hospital than when they’re in the ICU. With the U.S. Department of Health and Human Services reporting in August that major breaches alone – that is, incidents affecting upwards of 500 people – now number nearly one thousand. That is 30.1 million Americans to date who have had their personal health information (PHI) severely compromised.

What’s being done to stop the flood of PHI being snatched, leaked or even willingly served to hackers and cybercriminals primed to do just about anything they want with it? Isn’t HIPAA privacy enough protection to prevent exactly these kinds of incidents?

Source: freedigitalphotos.net

HIPAA

It’s dangerous to underestimate the crucial importance of the HIPAA privacy law because it brought a new national awareness to the importance of protecting patient data. The legislation secured sensitive health information such as test results and to prevent unauthorized disclosures of pre-existing conditions and diagnoses. Now, patients see HIPAA-related paperwork at every office visit, at least they have investment in the privacy of their information.

For the medical community, HIPAA requires that practices and practitioners invest in reducing risk. They must think through some scary “what if” situations and create contingency plans to help reduce the impact of a breach. But is following HIPAA enough to keep PHI safe and secure?

Security Measures

It turns out just about any IT professional or security expert will say “No.” HIPAA is a good starting point, but it will not seal an already leaky dam. The onus is on hospitals and private practices to implement key security technologies designed to secure networks powered by the most personal details about every patient. Important steps include:

  • Firewalls
  • Spam and spyware protection
  • Improved sign-on requirements, including single sign-on authentication with stricter security standards
  • Encryption

In a recent article in the “New England Journal of Medicine,” the executive director of Harvard Medical School’s Center for Biomedical Informatics, Eric Perakslis, said healthcare is in the crosshairs and “is being aggressively and specifically targeted.”

The Outlook

The question of healthcare information security cannot be answered with only one tool. Taming this rather ferocious beast will require an entire platform of strategies for security success. Perhaps what will be most interesting is whether the public – the patients whose information is being so “aggressively targeted” – will rise to this challenge by demanding stronger action by both the government and industry. Without a singular commitment to this partnered approach, including both HIPAA provisions and purposed security actions, healthcare information will remain ripe for the hackers’ picking.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

A ‘Big Picture’ Paradigm Shift for Healthcare Data Security

At certain points in history, it becomes apparent that the only way to solve a major question or overcome a monumental challenge is to change our governing perspectives on the matter. These paradigm shifts are sparked by discoveries like the roundness of the earth and the centrality of the sun within the solar system. The concept is astonishingly simple: once we change the way we look at a problem, we may find the key to solving it. Such a paradigm shift might serve the complex and increasingly chaotic realm of healthcare data security.

Source: freedigitalphotos.net/ddpavumba

Beyond the Security Team

In a recent interview posted at Healthcare & IT News to prepare for his upcoming keynote appearance at Boston’s Privacy & Security Forum, Texas Health Resources CIO Ed Marx explains his organization’s macro-focus on healthcare privacy and security as taking the stand that security is “everyone’s responsibility.”

Instead of taking a laissez-faire approach to the issue and trusting that the IT department is running interference for the entire 25-hospital healthcare system, Marx asks his 24,000-strong workforce to look at security as an all-in proposition. Texas Health is fostering an atmosphere of vigilance amongst the entire employee team, not just the security professionals. This “culture of security” requires yearly training sessions and proficiency tests to drive home the company-wide commitment of increasing security and protecting patient records.

Never Break the Chain

This revolutionary approach to protecting personal health information goes beyond just enlisting workers in the common cause. Besides this initiative, Marx also overhauled the chains of command within his organization and formed a security task force with reporting duties to the health system’s board of directors.

Visibility and accountability are primary drivers to security at Texas Health: “We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee.” Marx continues, “When we need support, we get it because we have this governance council for security and straight access to the board.” It’s obvious that Marx and his team mean business, a mindset that patients should appreciate considering the risky state of security affairs at many other healthcare organizations nationwide.

At such a crucial time in the healthcare security realm, when many organizations lack direction while risk to consumer personal health information grows increasingly higher, perhaps this thinking will inspire a much-needed healthcare security paradigm shift.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

5 Tips for Gracefully Handling Your Data Breach

5 Tips for Gracefully Handling Your Data Breach

You can barely throw a rock on the Internet these days without hitting a piece of advice on the best way to prevent a data breach. Yet, any organization that falls victim to such an attack is likely to find little guidance about the next steps to take. What’s the most appropriate way to share the news about a security incident?

Source: freedigitalphotos/Stuart Miles

Know Your Audience

The key in finding the best approach to take is to first understand that the message may have to vary slightly depending on the recipients to address their pain points and concerns:

  • Consumers worry about their privacy. Will they need to switch banks? Cancel cards? Should they continue doing business with the affected company?
  • Regulatory bodies like the Federal Trade Commission will want to verify that the technical aspects—like fulfilling any statutory obligations—of the announcement meet certain standards.
  • Banks will want details about how the affected company will address the costs for issuing new cards to consumers.
  • The board and the shareholders are more concerned about company worth and viability, and how or if such an incident compromises an organization’s value.

Given this is just a cross-section of those who might be affected by a data breach; it is easy to see how any official message must be tailored according to the audience.

Tips for Taking the Plunge

Once it’s time to explain, remember that honesty is the best policy… with these tips:

  1. Find the right balance between planning when and how to discuss any cyberattack with those affected, whether that means shareholder or cardholder. Some companies have found success with making an initial limited disclosure, then releasing more details upon investigation completion, but don’t deliberately downplay the gravity of the situation either. Also, comply with all mandatory disclosure timelines.
  2. Remember that language is everything. A “cyberattack” suggests an unforeseen and unpredictable outside force, while a “data breach incident” subtly implies that the company is at fault. Choose every word carefully.
  3. Know your rights. Reporting information to the authorities may negate the protective status of attorney-client privilege. Although cooperation with law enforcement is a must, do so with the guidance and advice of counsel rather than disseminating information too quickly.
  4. Remember that excessive compensation isn’t a must. Although offering a type of loyalty reward, like free credit monitoring, as a gesture of thanks to affected customers is understandable (and often appropriate), going overboard with an offer that’s disproportionately generous can seem suspicious in an overly culpable kind of way. Always weigh the considerations of such offers against the possible costs.
  5. Don’t be afraid to involve forensics consultants as part of damage control. Digital evidence can uncover any indicators that could point to a preventable security compromise. Or, proof that could absolve an affected company completely.

Although any data breach incident—ahem, cyberattack—can feel like a PR nightmare, it doesn’t have to be. Going public with a data breach can be handled with professionalism and grace, as long as a solid strategy is set in place before any information is released about the incident.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

New Survey Finds Law Firms Face eDiscovery “Watershed”

New Survey Finds Law Firms Face eDiscovery “Watershed”

In the legal realm, large firms are currently facing a major “watershed” moment with reference to the way they service e-discovery tasks charged by their corporate clients. One need look no further than the imminent collapse of newspaper journalism in the face of emergent digital media to see that just like the Borg warned us: “resistance is futile.”

According to a July 2014 survey conducted by Ari Kaplan Advisors and sponsored by RVM Enterprises Inc., today’s firms are revolutionizing the way that e-discovery functions within their operations. Many firms are absorbing a greater share of the e-discovery workload and making it a more in-house function in response to rising demand for greater transparency from outside counsel coupled with a desire to control counsel costs.

Key Conclusions

Source: freedigitalphotos.net/imagerymajestic

The survey found that 100 percent of the attorneys polled, all of whom primarily function as outside e-discovery counsel for corporate legal departments, said they currently recommend both e-discovery software and vendors to their clients from the corporate world. Survey respondents agreed unanimously that they’re seeing major tidal changes in their client’s expectations with reference to practice support technology.

  • 89 percent of respondents theorized that these changing expectations reflect rising technology costs and a need to control mushrooming legal expenses.
  • Beyond technology costs, they pointed to the incessantly increasing speed of data created by the modern corporate client as wired employees generate uncontrollable volumes of potentially “e-discoverable” information.

Here’s where things get dicey: today’s legal counsel faces resistance from clients when they bill separately for e-discovery because clients think it should be included in existing operating costs. How can firms raise awareness among their clients about the often monumental task of e-discovery at the enterprise level and justify its inclusion as a separate line item on invoices?

Some firms are working to overcome this watershed moment by strengthening their billing propositions with increased clarity, upgraded technology, and greater transparency as demanded by clients. Strategies include:

  • Creating a more uniform e-discovery approach to cut down on client confusion when it comes time for billing
  • Upgrading data processing vendors and replacing them with more efficient models
  • Aligning themselves with adept third-party e-discovery partners whose expertise lends credence to hefty costs

Making the Case for E-Discovery Due Diligence

Until e-discovery becomes recognized as a bona fide operating cost, firms will have to focus on cost reductions to convince clients that they operate efficiently during the cumbersome data gathering and review phase. Kaplan says possible tactics may include “spotlighting strategies for mitigating risk in the most cost-effective manner possible.” This strategy may help corporate clients make more informed decisions, convince them of firms’ expertise and efficiency and lay out the real-world costs of forgoing certain vital steps in the e-discovery chain of action.

The Road Ahead

This watershed moment is defined by shifting responsibilities with reference to corporate e-discovery:

  • In-house legal departments are beginning to create their own e-discovery processes, defining risks and balancing the competing charges of efficiency and accuracy
  • This trend toward a more in-house approach to e-discovery requires the adoption of new technology for corporate legal departments, allowing them to manage tasks they formerly outsourced

Kaplan says the new test that emerges from the ever-changing e-discovery landscape is finding a way to segment billable work in order to “reflect a firm’s traditional counseling role and its evolving position as a service provider.” What remains to be seen is how large firms will rise to this challenge and redefine themselves as efficient, trustworthy partners whose value is unquestionable to corporations.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

4 Ways Fitbit and Facebook Can Compromise Your Medical Privacy

There’s a surge in the use of social networking and fitness-tracking devices like Fitbit to monitor and improve health and wellness, but some of these same advancements in health and fitness technology are raising alarming privacy issues. Here are four ways your efforts to share your fitness journey with the latest and greatest technology could have unintended consequences and compromise your privacy.

1. HIPAA Has Its Limits

The Health Insurance Portability and Accountability Act (affectionately known as HIPAA) effectively governs the privacy and security of health-related data collected by hospitals, healthcare providers and insurance companies. However, HIPAA’s policies and regulations for data security don’t apply to your private information when you choose to place it on other outlets.

When you fill out questionnaires or surveys at a gym, massage therapist’s office or health food store, you should understand that the data isn’t regulated the same way it is when it’s shared with your doctor or insurer.

2. You May Inadvertently Over-Share

Source: Photopin

For most people, accountability is a wonderful tool to use when working towards fitness goals. Through apps and social media, we can share our successes (such as a new record for a mile run) and find support in our downfalls (like the empty Ben & Jerry’s container in today’s trash). Fitbit offers its users a leaderboard that refreshes all day to show who’s burning the most calories, making the best food choices and getting the most sleep.

Making your triumphs and failures public may seem like a great way to stay motivated and meet your goals, but, as some Fitbit users learned in 2011, you may accidentally give TMI. Just as Fitbit shared the number of calories worked off on the treadmill or how many flights of stairs were scaled, the popular fitness device also recorded and published late-night physical activity statistics including duration and calories burned.

3. “Checking In” Allows Others to Check-Up on You

Checking in via Facebook or FourSquare is a popular tool on social networking that allows users to publicize where they’re eating lunch or what landmark they’re visiting. Believe it or not, broadcasting your every move and activity could affect your health insurance rates. Insurance companies are in the business of minimizing risk and turning a profit, so constantly checking in at bars or cigar shops could lead to a hike in your premiums if your insurer decided to check out your check-ins.

4. Facebook Is the New Insurance Company Questionnaire

When applying for new health insurance, you’ll likely be asked to fill out a detailed questionnaire regarding your general health, preexisting conditions and medical history. However, insurers are jumping on the social media bandwagon and doing their own research to determine the riskiness of would-be policy holders. The amount of private and personal information people willingly share on their social networking profiles is astounding. These profiles have become a valuable and insightful resource for insurance companies hoping to determine the actual lifestyle of an individual, which may vary from how one represents themselves on a health questionnaire.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

20 HIPAA Breach Response Tips From Experts

20 HIPAA Breach Response Tips From Experts

Medical identity theft is undeniably one of the biggest challenges facing the healthcare industry today. The guidelines laid out by HIPAA provide an excellent frame of reference to help better protect patient data. When you are faced with a breach, however, what’s the best response? Here’s a look at 20 tips from the experts.

Source: freedigitalphotos.net/Stuart Miles

1. Locate Breach

The very first thing to do if you suspect a breach is to find it. No other steps can be taken without knowing exactly what you’re up against.

2. Containment

After identifying the breach, the next step is containment. The goal here is the IT equivalent of stopping the bleeding, whether that means disabling compromised accounts or blocking access to infected machines.

3. Damage Control

Damage control begins as soon as the immediate threat is under control. Determine what was accessed, and investigate other potential vulnerabilities to gauge the extent of any collateral damage.

4. Restore Services

Your organization must continue functioning effectively, and this means getting critical systems up and running again as quickly as possible. Once you’re sure that you’ve accurately identified and contained the source of the breach, restore essential services.

5. Internal Notification

Next, develop an internal report that notifies everyone from the ground up about what just happened. This is important for managing the rumor mill, but also contributes to the U.S. Department of Health and Human Services documentation requirements.

6. Be Honest

Don’t bother trying to combine sugarcoating and information dissemination. Just be honest and explain the facts behind the breach.

7. Change Passwords

Change all passwords and authorizations right away. It’s hard to tell how much information a hacker had time to grab, so err on the side of caution.

8. Preserve Evidence

As you’re doing things like changing passwords and containing the breach, be sure to save evidence of both the breach itself and the corrective measures you’re taking for future reference.

9. Gather Documentation

The OCR will require extensive documentation, including but not limited to: a copy of your most recent risk assessment, records of corrective action taken to correct the breach, proof of plans to prevent future recurrence, and much more.

10. Report Immediately

Although you technically have 60 days to report the breach to HHS and the press, it’s better to go public sooner rather than later. This shows that you’re taking the issue seriously, which in turn bolsters confidence in your organization.

11. Inform HHS

Tell HHS about your breach. Remember, any incident that affects more than 500 patients should be reported directly to the Office of Civil Rights.

12. Contact Your Patients

All companies are required to inform potentially affected individuals that a breach has occurred. Again, this should be taken care of as quickly as is reasonable, for the same reasons mentioned above.

13. Tell the Media

As the saying goes, he who breaks the story controls the manner of its release. Acknowledging the breach openly with the media is much better PR than trying to cover anything up.

14. Remediate

Everyone makes mistakes, but those who make an effort to rectify those mistakes rebuild trust in their organization that much faster. Do the right thing by offering help where help is needed.

15. Offer Resources

As part of the remediation process, provide resources to patients who are concerned about their privacy. For example, you can create a dedicated 1-800 number help line for affected parties to easily get answers to the questions they have, or offer free credit monitoring for one month.

16. Discipline

If your data breach resulted from a clear internal violation of your existing policies, the responsible party has to suffer the appropriate consequences. Take the necessary steps to discipline where called for.

17. Review Policies

Any data breach is a good indicator that it’s time to review your processes and policies to prevent similar incidents in the future.

18. Uptrain

Further investigation of the breach could reveal that remedial training is required to ensure that all employees are in compliance with current data guidelines.

19. Promote Awareness

Most healthcare organizations have a great number of various policies and procedures that employees are expected to follow, and it’s possible that data security concerns could get lost in the shuffle. Encourage awareness of the importance of HIPAA compliance, and make it clear that ignorance is not an acceptable excuse for noncompliance.

20. Prevent

While all of these steps are important for handling a data breach with professionalism and grace, the truth is that prevention is still the best policy when it comes to keeping information secure. Going the extra mile now to limit the potential of dealing with fallout later on is well worth the extra effort.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Why It’s Time for Law Firms to Get Real about Data Security

Why It’s Time for Law Firms to Get Real about Data Security

Source: freedigitalphotos.net/Renjith Krishnan

Source: freedigitalphotos.net/Renjith Krishnan

When it comes to data security, law firms are facing two distinct disadvantages. First, the legal industry seems to lag behind other fields somewhat when it comes to technology in general; not every member of the old guard sees the need to learn new tricks. And secondly, there’s no industry-wide standard when it comes to data security requirements for sensitive information. This combination all too often leaves law practices severely lacking when it comes to protecting data, leading experts to refer to law firms as the “soft underbelly” when it comes to cyber security. Is this a fair designation, or are law firms more self-aware than that?

Technological Savvy

Although of course new case law is created on a regular basis, the truth is that the vast majority of legal expertise lies in examining and reexamining the same information again and again. This can give the impression—sometimes even to those within the legal profession—that not much changes when it comes to litigation, and therefore not a whole lot need to join the 21st century with regards to technology by investing significantly in a firm’s technological infrastructure. As such, to run into severely outdated computer systems in a lawyer’s office isn’t all that unusual, particularly in smaller firms that lack the financial resources of larger, more established practices.

Yet, to assume that these “rules” apply to all law firms is equally shortsighted. In reality, the past year alone has shown a dramatic uptick in security efforts from individual firms, either in an effort to adopt ISO 27001 or even stricter security standards. Initiatives like LegalSEC® are helping to develop consistent guidelines within the legal community and create security programs that are both measurable and achievable, as well as promote greater awareness about cyber security.

The Future of Legal Technology

The issue of cyber security becomes paramount when the legal industry intersects with other professions in which data protection is a chief concern. For example, clients in the financial services industry are likely to conduct security audits to ensure outside counsel’s compliance with industry-specific guidelines. These audits can even include details such as security assessments of data centers and physical files.

In short, the legal industry now finds itself positioned in a place that requires them to maintain robust security programs, acknowledge and resolve any existing vulnerabilities and be prepared to address any risks that are uncovered during a security audit. The overwhelming response has been to rapidly restructure existing operating budgets accordingly.

While the sudden IT security ramp-up may seem like an overwhelming shift, this is really only one pixel in the big picture of other changes law firms are facing: new billing practices as clients push for a move from hourly to service-based fees, the non-traditional career path of working as an independently contracted lawyer, and a number of other post-recession adaptations that allow the industry as a whole to evolve and—eventually—thrive in its new incarnation. Rest assured, those in the legal field are not the only seasoned professionals who are facing these types of challenges. Armed with a renewed awareness of the severity that a lapse in data security can represent, the legal industry is ready to face the future and get serious about data security.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

Are You Beefing Up Your Data Security?

Are You Beefing Up Your Data Security?

While the general public may think of data breaches as occurring mainly in the retail industry, signs increasingly indicate that the healthcare sector could present a much higher risk for consumers, both in terms of frequency and the potential for more serious consequences. Large retailers whose security efforts have been found wanting (as in the case of Target’s heavily publicized recent data breach) have been duly fined and have now actively kicked their security efforts up a notch, along with many of their peers. Yet, healthcare organizations—despite their arguably greater vulnerabilities—still seem to be lagging behind when it comes to data protection.

Source: freedigitalphotos.net/Stuart Miles

Personal vs. Financial Data

Although having your credit card or bank account data stolen is certainly stressful, the loss or theft of personal information like medical records can be even more sensitive, for a number of reasons:

  • While consumers can contact their banks, credit card companies or the credit bureaus to report identity theft, no “official” recourse exists for a breach of medical records.
  • Information gleaned from medical records can be leveraged into accessing a multitude of other accounts, including banks and credit cards.
  • Correcting medical records after healthcare fraud has occurred is next to impossible, as healthcare organizations are (understandably) reluctant to change any records but those directly originating from their practice.
  • Healthcare fraud cost the United States an estimated $80 billion, according to the FBI.

This list is just the tip of the iceberg when it comes to looking at all the reasons a personal data breach so often presents a more serious threat to individuals than a retail-related breach that only accesses payment accounts.

What’s Your Security Grade?

A close examination of data on security breaches indicates that those in the healthcare industry continue risking network exposure and patient data by following high-risk practices. Security ratings are lower overall for healthcare organizations than for retailers, indicating a strong need for all healthcare-related businesses to beef up their efforts at patient protection across the board.

In 2013 alone, nearly 200 data breaches were reported to the U.S. Department of Health and Human Services, a number that reflects over 7 million at-risk patient records. This is an increase of 138 percent from the previous year.

The Payoff

Since most healthcare systems were originally designed for ease of use rather than high-level security, these facts are hardly surprising. Yet, since the United States spends approximately $2.7 trillion dollars on healthcare every year, it shouldn’t be hard for healthcare organizations to see that their records represent a potential goldmine for cybercriminals. That fact alone should be reason enough to start taking security much more seriously.

At this point in the game, it’s clear that protecting patient data and healthcare records desperately needs to take top priority, especially when additional factors such as the launch of HealthCare.gov and the recent increase in HSS crackdowns are taken into consideration. If you’re still not sure where you stand with your system’s security, take the time to conduct a risk assessment and find out if your organization might be vulnerable.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.