The Story of University of Utah Hospitals & Clinics Data Breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.healthdatamanagement.com/issues/18_9/health-care-technology-news-breach-university-utah-40908-1.html?pg=2

In a nutshell, everything that could go wrong went wrong for
University of Utah Hospitals & Clinics, even though the theft appears
not be its fault.
In addition, UUHC quickly came clean instead of going into damage
control and trying to keep a potentially explosive problem under
wraps.

Data security experts like Gilbert says hospitals can take steps to
protect themselves from what happened to UUHC by carefully
scrutinizing third-party service providers, constructing well-crafted
agreements and staying vigilant after the contracts are signed.
"The most important things are due diligence before the contract,
[constructing] a good contract and not falling asleep after the
contract," says Gilbert.

The dangers are real: she recently asked a group of data privacy
professionals including several chief privacy officers what they
feared the most and the "No. 1" response was subcontractors and
service providers.

Gilbert expresses their thinking: "I am not afraid within my own
company because I am in control of testing, training and who I hire. I
am not in control of service providers and subcontractors. Beware,"
she says.

Common sense required

Common sense-and legal and technical thoroughness-are essential,
Gilbert adds. Before a contract is signed, hospitals need to grill
their prospective service provider about their information security
practices.

For example, when did they last do employee training? And who has
access to the hospital's data?

"A [hospital] can visit the service provider or send them
questionnaires about how do you do this and how do you do that," says
Gilbert. "It's a normal practice that every prudent company does.
Sometimes the service provider pushes back because it takes a lot of
their time, but it's essential and a normal practice that every
prudent company does."

Then there's the contract.

"Assuming you've conducted due diligence that the company has adequate
procedures, the second thing to do is a contract. Don't sign any
services agreement without paying attention to what it says," Gilbert
advises.

There are "standard clauses" that legally mandate the company to apply
the information security plan it laid out to the customer. A list of
these clauses can be added in an appendix to the contract, according
to Gilbert.

"You can build the contract provisions so the hospital has the ability
to audit the service provider once or twice a year and go on the
vendor's premises to look at the vendor's procedures, training and
backgrounds of their employees," she says.

While such scrutiny is expensive and time-consuming, it's well worth it.

"There is price for everything. If you told me new tires are expensive
and you're going to stay with old tires because they are cheaper, and
then you have an accident, don't complain," says Gilbert.

 [..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php