Key Takeaways From Breakfast & Breaches® | D.C.

Breakfast & Breaches

Key Takeaways From Breakfast & Breaches™ | DC

Clearwater’s recent Breakfast & Breaches event in Washington, DC brought together an outstanding group of leaders with unique insight on the growing problem of how to keep protected health information secure. Drawing on their combined decades of experience working across the compliance spectrum, our panelists and moderator challenged the audience’s thinking with regard to how their organizations analyze and manage risks.

Following are brief excerpts of some of the most important insights shared:

Are you still working in silos or do key stakeholders across the organization come together to assess risks?


Kevin Hewgley (2)

Kevin Hewgley
Vice President of Financial Services Lockton Companies

“Most companies still have not figured out how much time to dedicate to risk and privacy issues. It’s piecemeal patchwork. I’m still very, very surprised that very large organizations with complex Risk and Legal Departments and dedicated Chief Privacy Officers have never sat down collectively to talk about their risks or how to respond in the event of a breach.”

 

Is understanding your information risks a board-level concern?


Leon Rodriguez (2)

Leon Rodriguez
Former Director of the Office for Civil Rights & Partner at Seyfarth Shaw

“There is a corporate governance issue that becomes a big deal when OCR is investigating you. If there is a strong sense that both the C-suite and the board are immersed in these privacy and security issues and empower their security officers, that’s going to look really different to OCR than a CISO who is off by himself.”

 

Do you have a good handle on where your exposures lie?


Bob Chaput (2)

Bob Chaput
Founder and Executive Chair, Clearwater

“This whole idea of board engagement, C-level engagement…is enabled greatly by doing what’s required in the Security Rule. And that is how are you going to avoid bad things happening until you know what your exposures are.”

 


Greg Ehardt

Greg Ehardt
Vice President & Chief Compliance and Privacy Officer, CHRISTUS Health

“The one thing we go back to when we have a security risk analysis – that being the backbone of any security program – you can’t have that in place unless you truly understand the information assets that are out there.”

 

Is evaluating risks a one time or once in a while thing or is it an ongoing concern?


Nick Heesters

Nick Heesters
Health Information Privacy & Security Specialist, Office for Civil Rights

“If a new technology is brought into an organization or a technology has significantly changed, there is an obligation to conduct an evaluation of how those changes affect the security of PHI, and often times, that evaluation is not done.”

 


Leon Rodriguez (2)

Leon Rodriguez
Former Director of the Office for Civil Rights & Partner at Seyfarth Shaw

“If you look at the settlements…the failure is not the failure to do a risk analysis in the first instance. It’s rather a failure to update the risk analysis. What it points to is not just the quality and comprehensiveness of the initial risk analysis but that it’s a constant process. You really need to be aware of how your environment is changing…It’s not just a one-time thing.”

 

If a breach occurs, are you confident in your ability to meet OCR’s requirements?


Nick Heesters

Nick Heesters
Health Information Privacy & Security Specialist, Office for Civil Rights

“Some of the risk analysis we get back just doesn’t really reflect what the rule requires. The rule requires that it be done in an accurate and thorough manner. To accurately and thoroughly assess the risks to an organization’s ePHI. Frankly, that’s not what we get.”

 


Nick Heesters

Nick Heesters
Health Information Privacy & Security Specialist, Office for Civil Rights

“Often times, part of the Corrective Action Plan (CAP) is going to require the organization to do the risk analysis in the manner that OCR expects…as part of conducting that risk analysis, there is a requirement in the CAP to do an enterprise-wide inventory of all their systems and applications and how they interoperate with respect to the ePHI within the organization.”

 

Beyond the negative consequences of a breach from a regulatory perspective, have you contemplated the wide range of damage that can result, including major harm to your organization’s reputation not to mention potential unthinkable harm to patients?


Greg Ehardt

Greg Ehardt
Vice President & Chief Compliance and Privacy Officer, CHRISTUS Health

“Depending on the size of the organization, you might be able absorb the fines. It’s the reputation and the risk there that we’re weighing…You have to define what your risks are and where you want to put your money to address them.”

 


Bob Chaput (2)

Bob Chaput
Founder and Executive Chair, Clearwater

“The regulatory drive or motivation is important, but there is a much more important motivation here. It’s the explosion of data, devices, and systems that are supporting our healthcare system. The unintended consequence of this explosion is greater risk.”

 

Learn more about Breakfast & Breaches™ | D.C. and access the full session recording here

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Perspective on the Proposed Health Infrastructure Security and Accountability Act

Perspective on the Proposed Health Infrastructure Security and Accountability Act

The Health Infrastructure Security and Accountability Act (HISAA) introduced in the U.S. Senate on September 26 is another good step forward in addressing key factors contributing to the healthcare sector’s deficiency in establishing and maintaining adequate cybersecurity controls and risk management programs. While there are many in the sector that are already implementing recognized standards, having mandated standards would help to make sure everyone is playing by the same rules.

Connect
With Us