In our last blog post, we discussed the prominence of data breaches in the healthcare industry. With so much of the attention being paid to breaches after-the-fact, what can a Covered Entity or Business Associate do to help prevent a data breach in the first place?
For many organizations that have had a breach occur in the past year, realization of their inadequacy of security controls around how they manage healthcare information, internally and externally, has come too late. Many times not happening until after OCR delivers their OCR Resolution Agreement, in which their investigations reveals findings around the occurrences and the settled resolution between OCR and the breached party. By the time this agreement is delivered/received and agreed to by all the affected parties, the damage has already been done. Monetary fines have been imposed and the breached party’s reputation has been tarnished.
The breached party has to implement the specifications relayed by the OCR in the agreement. These specifications have strict timelines, forcing the organization to enter into re-act mode immediately. The organization is now charged with running a business while containing and mitigating the effects of the breach, and at the same time remediating all deficiencies found by the OCR. With resources many times already being limited for these work efforts, the pressure on the breached organization becomes real.