According to an article published this week in Healthcareinfosecurity.com , once the federal tally kept by the United States Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) is updated with three new 2012 incidents, the count may exceed the dubious milestone of more than 20 million individuals who have been affected by major healthcare information breaches. This list, which tracks breaches affecting 500 or more individuals, has been growing since its inception in September 2009, which commenced when the HITECH Act-mandated breach notification rule went into effect. The HITECH Act in part increased the maximum fines for HIPAA related violations from a previous maximum of $250,000 per year to a new high of $1.5 Million dollars per year.
Similarly, a 2011 study by the Ponemon Institute found that despite an increase in Health Insurance Portability and Accountability Act (HIPAA) compliance in the healthcare industry, data breaches are increasing, costing the healthcare industry $6.5 billion annually (an average of $2.2 million per breach). The frequency of data breaches among organizations in this study has increased 32 percent from the previous year. Many of these were due to employee mistakes and sloppiness – 41 percent noted unintentional employee action.
While much of the coverage of the Act has centered on the requirements it places on the healthcare industry, HIPAA is designed to protect privacy rights while also allowing for the electronic flow of health information needed to provide and promote high quality health. So how can an organization safely balance the need to collaborate and share information while at the same time complying with regulatory requirements and protecting patients’ personal health information (PHI)?
A multi-prong approach which encompasses employee education, training, and awareness along with technical enforcement is required. Access and Rights Management Controls and monitoring, along with change configuration management and audits can all lead to a more secure and less vulnerable environment. For organizations using Microsoft SharePoint as one of their primary systems for collaboration or enterprise content management – which, according to AIIM’s “State of the ECM Industry 2011” report, includes 60 percent of organizations and 70percent of larger organizations – this kind of automation and continuous monitoring is available from AvePoint.
AvePoint’s Healthcare Kit allows chief privacy officers, chief information security officers, chief medical officers, and administrators to implement automated access and content controls for their enterprise-wide SharePoint systems (and file share systems) to prevent breaches from happening. However, if and when a breach does occur, the Healthcare Kit also enables swift detection of those breaches to track, respond, and recover. This mitigates the likelihood of a catastrophic incident, and helps to feedback information that will lead to system hardening and improvements for the continuous lifecycle that must make up a successful risk management program.
What are your thoughts on mitigating risk and protecting information in SharePoint? Leave a comment and let us know!
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities.
Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School.
LinkedIn: www.linkedin.com/in/danalouisesimberkoff/en
Twitter: http://www.twitter.com/danalouise