Due diligence an IT priority for 2014


The data supply chain and the threat of malicious insiders will pose continuing challenges to hospitals this year according to a 2014 security forecast by cyber security experts Kroll.

While organizations may have their own security in order, the same may not be true for the business associates who handle that data.

“What we’re seeing in many cases is that as that data leaves the hospital it ends up in the hands of third parties that may not have the same stringent requirements as the hospital or health insurance plan. That is going to be a significant issue for the next few years,” said Tim Ryan, managing director and cyber investigations practice leader for Kroll.

“Hospitals need to carry out a modicum of due diligence. They need to know who these third parties are that are handling their sensitive data. They need to talk to them and find out how they are securing this data, whether this data is being moved outside the country, how that data is being moved around, and how is it being secured.”

He added that the crafting of business associate agreements is highly important, as is planning for the eventuality of a breach.

“Planning for the incident makes things go a lot smoother,” he said.

Just as it is important to carry out a process of due diligence with your business associates, it is vital to consider who will be handling patient records within your organization, he added.

“When it comes to dealing with insiders, information security is a continuous effort that overlays initial due diligence,” he said. “You need to decide whether to give an individual access to the data and you need to define what is acceptable use of their devices.

“You also need to decide what will be the penalties when they transgress – and when staff leave, it is important to have a systematic way of terminating their access.”


Kroll, cyber security, 2014 security forecast