search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
BUSINESS SENSE BY GWEN HUGHES, HUGHES VIRTUAL PRIVACY OFFICE, LLC, AND


PATRICIA HUGHES, ONEBEACON INSURANCE


Information Privacy and Security Threats in Today’s Drug and Alcohol Testing Labs


small business. Since 2005, over 11 billion records in 9,033 breaches have been made public in the U.S.1


C Although drug and


alcohol testing organizations have not been the focus of cybercriminals (or regulatory enforcement agencies) yet, the proverbial writing may be on the wall, since these businesses most likely collect personally identifiable information (PII)2


and may


in some instances collect individually identifiable patient information.3


• Last year, LabCorp, a laboratory diagnostics giant, was forced to take some of its information technology (IT) systems offline when it detected suspicious activity on its IT network. Although no unauthorized transfer or misuse of data has yet been reported, taking its systems offline impacted specimen processing, results reporting, customer service and satisfaction, and necessitated significant leadership, IT, and monetary resources to mitigate and manage.4


• Criminals continue to purchase health records on the dark web. Health records contain numerous identifiers that allow criminals to use the stolen health information to commit identity theſt and medical-billing fraud. Te information is also useful in submiting fraudulent tax returns, which has become a challenge for the IRS and citizens due tax refunds.


• Te biggest threats were malware and bots (reported by 76% of organizations), social engineering atacks such as phishing (65%), DDoS atacks (53%), web application atacks (42%), ransom threats (38%), and cryptocurrency miners (20%).5


• Ransomware was found in 39% of all malware-related data breaches. It


18 datia focus


ybercriminals will steal data any place they can find it, whether from a giant conglomerate or a


accounted for 85% of all malware in healthcare. Te low risk for the criminal and the potential for high monetary yields suggest ransomware atacks will continue, according to Verizon in its Data Breach Investigations Report (DBIR).6


• Te average probability of a material data breach, the average cost of a breach, and the average size of a breach increased over the previous year according to the Ponemon Institute’s 2018 Cost of a Data Breach Study: Global Overview.7


Te average U.S. data


breach cost was $233 per breached record. Te average cost in healthcare was $408 per breached record due to additional regulatory requirements.


While the threat of a data breach or


ransomware atack is significant, it is just one reason drug and alcohol testing organizations should make information privacy and security an important priority in their ongoing strategic business plan. Other considerations include:


• Te fact that some drug and alcohol testing organizations may be subject directly or indirectly to the Confidentiality of Alcohol and Drug Abuse Patient Records regulation,8 Privacy Act of 1974,9


HIPAA,10 or


the European Union’s General Data Protection Regulation.11


• All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving individually identifiable information. Security breach laws typically have provisions regarding those who must comply with the law, definitions of


“personal information,” what constitutes a breach, and notice requirements.12


• An increasing number of states are turning their atention toward security practices of business and government. At least 13 states have laws requiring businesses that own, license, or maintain personal information about a state resident to implement and maintain information security procedures and practices.13


• At least 35 states and Puerto Rico have enacted laws that require businesses and governmental entities to destroy, dispose of, or otherwise make personal information unreadable or undecipherable.14


• Te faster a data breach can be identified and contained, the lower the cost of a breach.15


Failure to comply with laws,


regulations, or accreditation standards is bad for business. That which should have been done previously, must now be done quickly and under the scrutiny of accreditation agencies or regulators. Leaders may need to expend time messaging so as not to lose trust or market share, or experience difficulty recruiting talent.


the


Take an enterprise risk management approach to protecting information privacy and security.


1. Confirm commitment at the execu- tive/governing-body level recognizing the urgency of ensuring the privacy and security of personally identifi- able information and/or individually identifiable patient information, when applicable, and integrating informa- tion governance, privacy, and security as a component of the organization’s strategic plan.


spring 2019


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56