Just last month, Home Depot fell victim to the biggest data breach in retailing history, as 56 million of its customers’ credit cards were compromised. Surely a breach of this size (currently accounting for more than $3 billion in fraudulent activity) came as a shock to everyone associated with the retailer, right?
According to a New York Times feature story, former employees say Home Depot had warning signs that this type of incident could happen as far back as 2008. And that the retailer was too slow to respond with necessary upgrades to its security measures.
Home Depot is hardly alone. These types of thefts are becoming commonplace among retailers in recent years. As the retail sector wrestles with a crisis of confidence in how it manages sensitive data, what lessons can healthcare learn from all this?
Here are a few to consider:
When data is “at risk”, it is not a matter of if, only a matter of when.
By their very definition, risks can lead to adverse events. If your organization doesn’t comprehensively understand where you vulnerabilities lie, and if you don’t put appropriate plans in place to eliminate or mitigate those risks, it’s only a matter of time before you make headlines of your own. Click here to access a free webinar that will help you learn more about conducting a thorough Security Risk Analysis for your organization.
You must build a culture of compliance.
The industry professionals speaking out against their former employer said they quit after management dismissed their concerns about security standards and the need to better protect the company’s data. Think about your culture. Do you have clear expectations across your organization for how data should be protected? Is it a priority? Do your managers know this? Are they held accountable?
In the case of Home Depot, former employees suggest there was no such culture. According to them, when asking for new software and training, managers came back with the same response: “We sell hammers.”
People matter just as much as process.
According to the New York Times, Home Depot hired a computer engineer to help oversee security at its stores nationwide a few years back. Unfortunately for the company, he was sentenced to four years in prison for deliberately disabling computers at the company where he previously worked. Oops.
Your people are your greatest asset and greatest liability when it comes to protecting data. From recruiting to ongoing training, how you approach your workforce will directly impact how successful you are at securing protected health information (PHI).
It is not just your problem; it is our problem
Security experts suggest that retailers have been too complacent about security, and that they have been reluctant to share information with one another. This has no doubt fueled the flames of recent thefts. We have to work together as an industry to solve problems, learn from each other and elevate standards across the board. We’re all in this together, which is one reason Clearwater invests so much time and energy in sharing information and resources with the healthcare community.
After working with 400 organizations to help them solve for information risk management and compliance challenges, we’ve seen many common problems as well as innovative solutions. Collectively this type of information must be shared throughout the industry if we hope to systematically solve safeguarding PHI.
At the end of the day, healthcare is facing the same challenges as retailers. High-profile breaches. Increasing cyber security threats. A track record of less than adequate compliance efforts. It’s up to us whether this gets better or worse. The time to act, both individually and collectively, is now. Let’s hit the nail on the head. Failure to do so will be costly, beyond comprehension.
Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.
Latest posts by Michelle Caswell (see all)
- What to Know About OCR Pre-Audit Questionnaires - June 3, 2016
- HIPAA and Firearms. Balancing privacy with public safety. - February 1, 2016
- Cornell Faces Heavy Fines with Latest OCR Resolution Agreement - May 4, 2015