DHC 2008: Pre-Conference Themes and Variations, Phishing and Website Security Breach
This year’s Digital Healthcare Conference held at the Fluno Center in Madison, WI focuses on issues top-of-mind of provider organization senior executives. This is my 6th year as chairperson of the conference.
Prior to the conference, interactive sessions led by vendor representatives explore key issues important both to the provider organizations and the vendors. Our Advisory Board Chair Peter Strombom, former CIO at Meriter Hospital and former chairperson of CHIME, leads each of these five sessions guiding the vendor representatives in these non-sales oriented presentations.
The first session led by Erik Phelps, partner at Michael Best Friedrich, focused on how organizations need to respond to web site security breaches. Erik specifically focused on credit card theft through a phishing scheme. Key concerns expressed in this session included:
- When do you notify the authorities? The FBI and Secret Service are key relationships to develop and manage both before and after such a breach.
- Do you shut down your own web site due to the breach? Be sure to contact your finance department as well as other stakeholders within your organization before taking any significant steps.
- How do you shut down the phishing site? Most web site hosting organizations have fraud departments specifically set up to respond to such occurrences.
- When do you involve forensic experts to record what has occurred? Develop a relationship with forensic firms so that they can be called in quickly to record events for legal issues. Read the TJX Company’s 10K report that addresses their security breach of several years ago. The costs to the company exceeded $200 million.
- What do I need to focus on after a data breach? These include: 1) Getting your business back to normal, 2) Address public relations issues, 3) Develop plans to correct processes and employee training issues to reduce risk of another event, 4) Explore what other breaches that might have occurred prior to the current event that you might not be aware of.
Further reading:
TJX Company security breach analysis
TJX Company security breach commentary
Barry P. Chaiken, MD, MPH, has over 18 years experience in medical research, epidemiology, continuous quality improvement, utilization management, risk management, health care consulting, and public health. He is a member of the board of directors of HIMSS and a former associate chief medical officer of BearingPoint.
Comments
Erik Phelps responded May 9, 2008: #1
Thanks for touching on some of the things in my presentation. As a hypothetical, of course, it was designed to discuss key decisions in the context of a specific fact pattern.
More important, however, is that organizations which handle information of their customers/consumers/patients which is personal (and especially financial or health related) MUST plan for what they would do when (note use of "when," not "if") the security and/or privacy of that information is compromised or potentially compromised (as you often won't know for sure at the outset of an "incident").
Effective incident response planning should be part of each such organization's overall risk management process, and while that sounds obvious and straightforward, it turns out to be a complex and challenging when you start actually doing the planning and making certain decisions.
The complexity makes it all the more important that the planning and decision-making be done BEFORE you have to respond to an incident, not during one.
Erik
Add Your Comment
Comment policy: WTN Media Blogs accept comments that are on-topic and do not contain advertisements, profanity or personal attacks. Comments represent the views of the individuals who post them and do not necessarily represent the views of WTN Media or our partners, advertisers, or sources.
WTN Media cannot accept liability for the content of comments posted here or verify their accuracy. If you belive this comment section is being abused, contact edit@wistechnology.com.
