Good security compliance requires passion

During the joint conference on mobile device security hosted by the Dept. of Health and Human Services Office of Civil Rights and the National Institute of Standards and Technology on Sept. 24, Daniel Solove, the John Marshall Harlan research professor of law at the George Washington University Law School, talked about how to wake up the C-suite to the importance of good security.

C-suite buy-in plays a big role in compliance and ratcheting up the importance of a program. That’s necessary today because “we’re in the midst of a crisis in data privacy and security. Billions of passwords have been stolen. Chinese hackers stole the medical records for 4.5 million patients. The number of breaches keeps rising. It seems to be an epidemic. It keeps happening again and again. We’re seeing the same problems over and over again.”

Solove cited a Ponemon Institute study that found that data breaches cost healthcare institutions $5.6 billion and that 90 percent had at least one breach within the past two years. “Those are staggering numbers.”

After reading through numerous data breach incident reports, Solove said he found that two things matter the most when it comes to effective compliance: 1. The C-suite must truly understand the risks, the law and the importance of compliance; 2. The workforce must know how to protect protect health information (PHI). “That’s a big challenge because it involves human behavior but it’s related to buy-in at the top.”

A lot of work needs to be done in both of these areas because most incidents are preventable, he added.

“Data protection must be felt in the bones of the organization. It must come from the top and the bottom. You can’t just go through motions but you must really care about it. Every employee needs to care, know what they’re supposed to do and care about doing it,” Solove said. This takes time but in the end, it’s a great benefit to both patients and organizations because they will save money by having a good compliance program.

Only 32 percent of IT practitioners believe their organizations to be vigilant in protecting regulated data on mobile devices, he said, citing another study. “That’s really scary. Two-thirds don’t think their organization is doing a good job in this area.” And, just 52 percent of healthcare organizations have a full-time resource for security. “That’s just shocking to me.”

Communication between the C-suite and privacy and security officials is crucial, Solove said. “If no one’s talking to each other, it’s hard to imagine how you can have an effective program and how the C-suite can really understand the risks.”

The C-suite should care about this because of money, time and reputation, he said. Money will typically get their attention because incidents are very costly—“costlier than most folks might imagine.” With the recent Target breach, the company’s profits dropped from $961 million to $520 million in the same quarter after the breach. The company also could face fines of between $400 million and $1.1 billion, he said, citing estimates published by The Washington Post.

That’s not the end of it. The day after the Target breach became public knowledge, 40 lawsuits were filed. While most lawsuits in this area fail, most organizations wind up settling with the plaintiffs just to put an end to the time-consuming, costly process of fighting the suits.

Meanwhile, the Dept. of Health and Human Services is starting to issue very large fines for HIPAA violations. “We’re talking serious money. This is not a slap on the wrist.” But, Solove said the cost under-appreciated by the C-suite is time. “People are sucked into the vortex of dealing with the incident which means time away from other things. The C-suite also has to deal with the incident, through public relations, making statements and answering to others.”

Since the Omnibus Rule went into effect, “the general trend is that enforcement is increasing.” Most states have a notification law but they differ significantly, he said. Related laws keep changing but those changes are not “to loosen up regulations but to make them stricter. The bar to trigger notification keeps going lower. The law is ratcheting up the pain. Preventative medicine can help in the form of building a good program.”

The workforce is the largest data security threat, Solove said. Ninety percent of malware requires a human interaction to infect and 95 percent of security incidents involve human error. Most are traceable to the same bad practices such as the one-third of workers who use the same password for work and personal devices and the 35 percent who have clicked on email links from unknown senders.

Meanwhile, 56 percent of employees across all industries are not receiving any data security awareness training, he said. “That’s a scary statistic but it’s probably a little better in healthcare.” And, a lot of the existing training isn’t very effective. “If you’re going to have a compliance program, quality matters.” He suggested using stories because they are incredibly effective. “People remember stories. They rarely remember abstract dos and don’ts.”

Emotion is key, he added. “To be effective, you have to make an emotional connection with people and make people care.” Training should also motivate people, not just educate.  But above all, “have passion for the material. Compliance is something you really have to care about. If that’s not there, it’s hard to have a good program.”