Printer Friendly, PDF & Email

Compliance Refresher: Get Cozy With IT Folks, Review Insurance, Fine-Tune Policies, Training

Attorney Brad Hammer doesn’t always don a suit and tie, or what he calls his “lawyer’s uniform.” A privacy and security expert and founder of the Vakaris Group based in the Minneapolis area, Hammer found that dressing to match the folks he meets goes a long way toward eliciting the vital information he needs to help craft security policies or review ones already in place.

As he discussed during a wide-ranging talk at the recent Compliance & Ethics Institute, sponsored by the Society of Corporate Compliance and Ethics, co-publisher of RPP, security or information technology (IT) departments at HIPAA covered entities and business associates often have good policies and procedures in place—but there are limits.[1]

Security officials are “really good at writing policies about acceptable use and password requirements and any number of things related to security or protecting data,” Hammer said. But, adding he meant “no offense” to security officials, these individuals “are really, really bad…at communicating those policies. No one in the organization knows [the policies] exist.”

The answer, he said, is to “take the people who are good at communicating policies, the compliance people, [and have them] go talk to the information technology and security people.” The goal is to “share with everybody how awesome the policies are and help with the protection of the data,” he said.

Hammer prefaced his remarks by sharing a sobering July report by IBM and the Ponemon Institute,[2] which quantified the costs of data breaches from 2020. The cost of mitigating a health care breach was estimated at $9.23 million, slightly more than a general U.S. data breach but more than twice the cost ($4.24 million) of a breach globally, based on data from firms in 17 countries.

Hammer said the cost is important to know as it could help organizations fight for more funds to prevent and safeguard against these breaches; most, he said, likely need more resources and personnel.

Looking again at the cost of a global breach, of the $4.24 million, lost business accounted for $1.59 million or 38% of the total; “detection and escalation” accounted for $1.24 million or 29%. Post-breach response was estimated at $1.14 million, or 27%, with notification costs estimated at $270,000, or 6% of the total.

This document is only available to subscribers. Please log in or purchase access.

This document is only available to subscribers. Please log in or register for complimentary access.

* required field