Protecting Your Mission Critical Information

by Loren Weeks

If you are a medical business that is considered a "covered entity" under the new HIPAA regulations, then you are soon going to feel the pressure to implement a thorough information security system.

You may not think that your business is at risk for losing its mission critical information. But think about this: have you ever had a disgruntled employee? Have you ever seen a laptop lying carelessly around your office? Do you transmit confidential information over email? How much would your closest competitor pay to get a list of your clients?

If you don't have a good security system to protect your mission critical data, then you are running a calculated risk every day, and it is only a matter of time before some of your data is lost or stolen. Over the past five years, information technology security breaches have increased exponentially. In 2002 alone, 620,000 laptops were stolen, and each theft cost the business an average of $89,000.

If you are a covered medical entity, then you are running a double risk: after April 2005, you can also incur severe penalties with the new HIPAA security regulations.

Just like a lock for your door, a good information security system will protect your mission critical data from theft or loss. This is especially important if your business deals heavily in very personal client data, or unique intellectual property--such as social security numbers, medical histories, client contact information, payroll, accounts payable, patent information, or private research data. It can also protect you against poor employee practices, such as untrained staff members who toss disks with valuable financial records into the trash. If you are a medical business that is considered a "covered entity" under the new HIPAA regulations, then you are soon going to feel the pressure to implement a thorough information security system. All health plan managers, health care providers, and health care clearinghouses--including doctor's offices, clinics, hospitals, medical insurance providers, and medical billing companies--will be required to meet the new standards by either April 2005, or April 2006, depending on the size and type of organization. In all, there are 42 security implementation standards identified by the HIPAA security rule, of which 20 are required and 22 are con-sidered "addressable." And the penalties for non-compliance are severe--from $100 for simple violations, to $250,000 plus 10 years' imprisonment for malicious violations. So how can you protect your mission critical data? Luckily, creating a good information security management system is not as difficult as you might think. Even if you are a small business with a few employees, you should be able to establish good security parameters within a reasonable budget. To Protect Your Mission Critical Data, You Should:

• Perform a Risk Assessment. What is your mission critical data? What are the current risks to that data? Be honest with yourself. If you were a thief, how would you steal that data?
• Create a Plan. What tools, processes, training, or technology could fix those gaps? Identify new operational procedures.
• Execute Your Plan. Install any new technology, and train staff on the changes to policy.
• Verify, Monitor, and Measure. Check back in a week or so. Are the new safeguards working like they should?
• Perform Ongoing Maintenance. Once a month, meet with your staff and review the new procedures. Address any problems.

Plenty of resources are available to assist you. Start with a readily available industry standard best practices guideline, such as the ISO 17799 or the NIST 800-30. Most of the HIPAA security standards are available on the internet. Or, if you don't feel comfortable sorting through regulations and standards, find an information security management specialist that you like and trust. A good one can test out your systems and identify your weak spots, recommend changes, and implement them. Protecting your mission critical data is not difficult, but it may prevent a nasty surprise later on. 93% of companies that experience a significant data loss are out of business within five years. Take a few minutes now to make sure you are not one of them.

Loren Weeks, MBA is a Principal Owner of 10-D Consulting. He can be reached at 816.726.9772, or at lweeks@10DConsulting.com