BreachExchange mailing list archives
The Story of University of Utah Hospitals & Clinics Data Breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 9 Sep 2010 01:36:13 -0400
http://www.healthdatamanagement.com/issues/18_9/health-care-technology-news-breach-university-utah-40908-1.html?pg=2 In a nutshell, everything that could go wrong went wrong for University of Utah Hospitals & Clinics, even though the theft appears not be its fault. In addition, UUHC quickly came clean instead of going into damage control and trying to keep a potentially explosive problem under wraps. Data security experts like Gilbert says hospitals can take steps to protect themselves from what happened to UUHC by carefully scrutinizing third-party service providers, constructing well-crafted agreements and staying vigilant after the contracts are signed. "The most important things are due diligence before the contract, [constructing] a good contract and not falling asleep after the contract," says Gilbert. The dangers are real: she recently asked a group of data privacy professionals including several chief privacy officers what they feared the most and the "No. 1" response was subcontractors and service providers. Gilbert expresses their thinking: "I am not afraid within my own company because I am in control of testing, training and who I hire. I am not in control of service providers and subcontractors. Beware," she says. Common sense required Common sense-and legal and technical thoroughness-are essential, Gilbert adds. Before a contract is signed, hospitals need to grill their prospective service provider about their information security practices. For example, when did they last do employee training? And who has access to the hospital's data? "A [hospital] can visit the service provider or send them questionnaires about how do you do this and how do you do that," says Gilbert. "It's a normal practice that every prudent company does. Sometimes the service provider pushes back because it takes a lot of their time, but it's essential and a normal practice that every prudent company does." Then there's the contract. "Assuming you've conducted due diligence that the company has adequate procedures, the second thing to do is a contract. Don't sign any services agreement without paying attention to what it says," Gilbert advises. There are "standard clauses" that legally mandate the company to apply the information security plan it laid out to the customer. A list of these clauses can be added in an appendix to the contract, according to Gilbert. "You can build the contract provisions so the hospital has the ability to audit the service provider once or twice a year and go on the vendor's premises to look at the vendor's procedures, training and backgrounds of their employees," she says. While such scrutiny is expensive and time-consuming, it's well worth it. "There is price for everything. If you told me new tires are expensive and you're going to stay with old tires because they are cheaper, and then you have an accident, don't complain," says Gilbert. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- The Story of University of Utah Hospitals & Clinics Data Breach Jake Kouns (Sep 10)