Friday, November 6, 2009

HIPAA Compliance Data Breach with a Foreign Supplier

Recently, the Economic Times Report in India discussed a successful “Sting operation by a UK agency in which some health related data was bought from a medical transcription company” . What this means is all that perosnal and HIPAA confidential data that was being transfered for transcription got stolen in the most likely scenario. There have been few stories of this type of Data Breach so far. The Suppliers to US companies have not made the headlines but this might be just the begining fo that wave. The two components of HIPAA Security are Logical and Physical Security. Remote partners can easily breach your logical security controls.

Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.

As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.

So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis

No comments:

Post a Comment