Ask the Expert


Question: My business deals with sensitive electronic health information. Do you have any cost-effective suggestions for how I can manage the risk of security breaches?


Answer: That’s a great question. More medical professionals are using electronic health records (EHRs) due to government incentives and changing attitudes toward patients’ involvement in their health care. Protecting the private data contained in those records is more important than ever. Also, state and federal breach notification laws are becoming broader in scope. That means more businesses are required to report data breaches to the public, which in turn increases their exposure to lawsuits by affected patients, partners and even employees. Clearly, it’s smart business to ensure the security and privacy of data networks.


Broadly speaking, data safety equals patient safety. So as a first step, identify any activities that might compromise data security. Negligence is currently the No. 1 driver of data breaches. In fact, according to a Ponemon Institute survey, IT and compliance professionals believe that 79 percent of data breach incidents are caused by negligence—50 percent due to internal negligence. Lost laptops or USB drives, for example, may be found and put to malicious use by people with criminal intent. Sometimes, too, employees are tricked into releasing sensitive data through spear phishing schemes. In any event, companies can take a preventive approach by instituting employee education and training programs aimed at curtailing negligent behavior. It’s also smart to put an effective encryption plan in place—ideally one that meets federal standards, as laid out by such organizations as the National Institute of Standards and Technology.


Breaches also can occur through the negligence of independent contractors or vendors, so be sure to do your due diligence and run basic background and credit checks on any vendors with whom your business will be sharing sensitive data. Also, be sure to have a candid conversation with potential vendors about whether they understand data security issues and have a process in place to safeguard EHRs and related data. Avoiding data dumps also is critical; your business should provide third parties with only the information they need to do their jobs (for example, billing partners likely don’t need a patient’s complete health history). 


Finally, require network security and privacy (NSAP) coverage as part of any vendor contract. And, just as important, consider purchasing NSAP insurance for your own company. These days, there are many insurers to choose from. But whomever you sign with, the agreement should be broad enough that it is triggered whether a failure to protect information stems from internal employee negligence, vendor negligence, or an outright criminal act. As an added benefit, many NSAP insurers also provide proactive assistance with the risk management process.


Paul E. Paray , Esq., is a commercial litigator with more than 15 years of experience resolving complex claims. Paray is a member of the New York, New Jersey and Washington, D.C., bar associations and has spoken and written extensively on the management of digital risk.