According to a Department of Health and Human Services investigation, AHP committed the following errors:
- AHP impermissibly disclosed the EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.
- AHP failed to assess and identify the potential security risks and vulnerabilities of EPHI stored in the photocopier hard drives.
- AHP failed to implement its policies for the disposal of EPHI with respect to the aforementioned photocopier hard drives.
Without admitting any fault they agreed to pay a handsome penalty. To see the Resolution Agreement click here.
Bottom line: Good risk management practices considers a wide range of exposures and risk that can be created by surrounding technologies (i.e. copiers, internet, social media, storage, disposal) and based on various information sources (financial or health information, trade secrets, R&D, etc.).
Forecasters predict that the amount of information companies have to manage will quadruple in the next ten years. Data management and security protocols are a growing risk management concern. Companies need to protect proprietary and confidential information including everything from their latest designs, internal communications, client data, marketing strategies, financial information, and the list goes on. Fact is, every aspect of your operations has information and data attached to it that competitors or worse would love to have access to. What can and should a company do to help manage this ever growing risk?
- Make sure you have cyber-liability and other insurance coverages to cover against these losses.
- Do a complete assessment of the most important risks. Not all are weighed equally. Make sure there is someone fully responsible for managing each one of those risks.
- Make sure you know where the information flows and who has access to it. Chances are, your employees have access to more information than they need to.
- Have protocols surrounding all information devices including servers, desktops, laptops, and mobile devices, video conferencing, online chats, and social media platforms.
- Train your employees on the risk associated with not properly managing this information or data.
- Hire a third party service to check your vulnerabilities.
- Employ today’s technologies to help better manage data. For example, Symantec and Web Sense are the leaders in data loss prevention. Their software is often used to prevent social security and credit card numbers from leaving a company.
- Have protocols around the use of social media. HR That Works members should take a look at the Social Media Training Module and related tools.
- Have clear protocols about people who are telecommuting to work or are third-party vendors.
- Make sure how you manage the departure of terminated or defected employees. Of course, you can have non-compete and confidentiality agreements as well as taking a checklist approach to making sure all equipment, passwords, etc. have been collected. If necessary you can employ counsel to file an injunction against use of any confidential information.
- Don’t forget about low-tech espionage including dumpster divers and the Xerox machine.
These suggestions are just a start. You should conduct an extensive risk management and technology assessment and there are plenty of vendors willing to help you with that effort.