A data breach is a big deal for a healthcare organization, regardless of incident type. Dealing with the aftermath of a breach, or a security incident, can be a challenging, consuming, and, often, chaotic process. Radar, from the privacy-savvy folks at ID Experts, helps organizations create an incident response plan in the event of a data breach and track each step as it is resolved. Cyber-attackers may breach the network and access sensitive data or an employee may have accidentally lost a laptop containing documents containing health-related information. A mis-configured server may have inadvertently exposed files to people outside the organization, and a rogue hospital employee may access patient records and share it with unauthorized individuals. All these incidents are subject to a slew of compliance regulations, state and federal laws, and industry standards; and Radar makes the complex process more straightforward.
ID Experts positions Radar as the “privacy incident management” tool specifically designed for healthcare organizations such as hospitals, clinics, and health plans. The platform focuses on HIPAA (Health Insurance Portability Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) regulations as well as state data breach notification laws.
Radar is similar to Co3 Systems in that both platforms help administrators manage data breaches and identify steps to identify the flaw, fix the issue, notify the victims, and verify the problem has been addressed. Co3 Systems is heavily wizard-based, covers a broader range of regulations than just healthcare, and is not limited to just data breaches.
What Radar Does
Businesses, focused on preventing data breaches and leaks, often forget to plan for the worst-case scenario when security technology and processes fail. Radar proactively addresses this problem by allowing administrators to generate a detailed incident response plan to identify each step that needs to occur.
Managers and security teams answer a series of questions regarding a particular security or privacy incident and Radar returns a list of state laws and HIPAA/HITECH regulations apply to the specific circumstances. The software identifies everyone that needs to be notified.
While I often use the terms interchangeably, the platform differentiates between incidents and breaches. An incident would be an employee losing a laptop. A breach would be if someone found that lost laptop and exposed patient data. If the hard drive had been encrypted, the loss would have remained an incident because the data was still secure. If I specified that the data had not been exposed (because the laptop fell into the ocean), Radar would flag the report as “Documentation Only” and not generate an incident response plan. If I indicated there was a possibility of someone actually coming across the data (in the case of a lost laptop at a conference), then Radar would generate a response plan.
Considering that companies suffering a breach have to respond quickly, being able to quickly generate customized incident response plans with a clear workflow means the organization can respond consistently and effectively. The platform also uses color-coded keys to identify which incidents are high risk, and the impact on HITECH compliance.
Entering An Incident into Radar ID Experts gave me access to Radar 2.7 and pre-populated the account with some ready-made incidents. After logging onto the platform, I clicked on the “Document New Incident” button to create an event, logging what happened and then played with the reporting module.
In the case of a lost laptop, I filled out a detailed form describing described what was lost, what format the data was in, who was involved, and how many records may be impacted. Some sections went into great detail, such as clarifying the form of electronics data that was lost—email, portable storage FTP, and others—or whether the breach was malicious or non-malicious, and how it happened.
I also identified what data elements were lost, whether it was personal identifying information (PII), protected health information (PHI), or other sensitive information. It would have been nice to just be able to say “All PII” or “All PHI” instead of going down and clicking on every single checkbox, but it does force the administrator to really pay attention to what data was lost.
I could indicate the types of data exposed, such as names, health records, banking information, and others. All businesses are different, so I was able to specify exactly the compliance regulations I was subject to (or just best practices) and wind up with a very customized incident plan—Next: Incident Management with Radar
It was a very easy process, as all the information was laid out screen-by-screen. There are helpful tips along each step, and the interface makes it simple to skip sections if I didn’t have the requisite information. I could always go back and re-enter the missing information and recreate the assessment.
Since Radar offers a state-by-state assessment, I also have to identify how many of the victims were residents of which state. The information collected from this table would determine which state laws the organization would be subject to. This page applies only if we are working on an actual breach and not “Documentation Only Incident.”
At every step of the way, I could add notes or upload supporting documents, such as remediation plans, checklists, and reports, to create comprehensive records of the incident. This way I had a central repository of every single security and privacy incident with all the details, notes, and attachments.
With the generated incident response plan in hand, I could assign tasks to relevant responders and see which tasks have been completed. In sections specifying that I had to notify a regulatory agency, there was a section to indicate when the notification was made, whether the decision was made to defer notification (and why) and other activities. Anyone can look at the plan and see exactly where the response team was and what tasks were currently pending or on hold. If someone wasn’t doing his or her job, I could reassign the task to someone else.
Radar used the provided information to plot the risk level by calculating the severity of the incident and whether other regulatory groups need to be involved. If PIIwas exposed, or if there were any financial, reputational, and medical risk levels associated with the data, that would be color-coded (red, green, and yellow) so that I could see what the risks were.
The main dashboard view listed all the incidents currently in the system. I could filter the list based on status, as well as by date, and who the incident was assigned to. At any given point in time, I could see an updated list of exactly what steps had been completed within an assessment and what else was left to do. Each incident in the dashboard had a color coded circle (red, yellow, green, white) to indicate the risk level for HITECH and state laws. Some incidents had low state impact and medium risk for HITECH, for example.
The pre-canned reports let me track open and closed tickets, run compliance reports and prepare documentation in case of an audit or investigation.
Benefits of SaaS
Since it is offered as a software-as-a-service, ID Experts can regularly update the platform to reflect changes in the laws, compliance requirements, and industry best practices. Users get access to the latest information without worrying about whether or not they have upgraded to the latest software. Logging into the portal, they always see the latest version. When it comes to breach notification, businesses don’t have to try to remember all the different laws and regulations they need to comply with.
The state breach laws vary wildly from each other. Some states require businesses to provide more information than others. How soon victims need to be notified also vary by state, with Maine requiring organizations to notify customers within seven days, and others, who allow few weeks or months.
Businesses can sign up for a live demo or watch a Webcast to get a feel for the platform. The price tag for the annual subscription ranges from between $10,000 and $50,000, and depends on factors such as the number of users, licensing period, the number of states included in the assessment, and others. The introductory price of $5,250 is a multi-year license for one user with HITECH assessment, and one state assessment.
Regardless of the final configuration, all Radar users automatically get risk assessment and incident notification capabilities and access to a central repository which holds all incident related data. Users can use the dashboard to assign and reassign tasks, notify relevant parties, issue alerts, add and edit notes, tag notes for easy retrieval and pre-defined reports. Add-ons include state-based risk and notification assessment for states, custom reports and charts, and setting user access control to control who has access to which types of data.
For some businesses, a $5,000 price tagor more for an annual subscription for a platform they hope to not need may seem high and unnecessary. However, this is the perfect example of organizations spending money now to save money later. Data breaches themselves can be quite costly, with recent figures estimating the total cost at an average of $5.5 million, which includes legal liabilities, impaired productivity and related expenses. Spending $5,000 or more to essentially turn legal liabilities to zero, because the incident response plan ensure the organizations dealt with everything in a timely manner, sounds like quite a bargain.
Organizations can use Radar to analyze and figure out the extent of a breach and identify what needs to be done next. With a detailed incident plan, incident response time can be slashed dramatically, which translates directly into less liabilities and faster mitigation. Because it’s a software-as-a-service, organizations also know they have access to the most up-to-date rules without having to spend the time tracking down the information.
Radar provides businesses with a straightforward and easy to use interface to create those incident plans. Radar makes the process of planning for a nightmare scenario as painless as possible for healthcare organizations. Even though it is not as extensive or slick as Co3 Systems, Radar is a solid incident response planning tool that business can use to proactively prepare for the eventual data breach.
|OS Compatibility||Windows Vista, Windows XP, Linux, Mac OS, Windows 7, Windows 8|
Copyright © 2012 Ziff Davis, Inc