We use cookies to provide you with a better experience. By continuing to browse the site you are agreeing to our use of cookies in accordance with our Cookie Policy.
Accept
  • SKIP TO CONTENT
  • SKIP NAVIGATION
  • Drug News
    • Trending
    • Commercial Operations
    • GMPs
    • FDA Enforcement Actions
    • Inspections and Audits
    • Postmarket Safety
    • Quality
    • Regulatory Affairs
    • Research and Development
    • Submissions and Approvals
    • FDAnews Drug Weekly
    • FDAnews
  • Device News
    • Trending
    • Commercial Operations
    • FDA Enforcement Actions
    • Inspections and Audits
    • Postmarket Safety
    • Quality
    • Regulatory Affairs
    • Research and Development
    • Submissions and Approvals
    • FDAnews Device Weekly
    • FDAnews
  • Books
    • FDAnews Books Library
    • Drug Books
    • Device Books
  • Training/Events
    • Webinar Training Pass
    • Events
  • Resources
    • Form 483s Database
    • FDA Approved Drugs
    • White Papers
  • CenterWatch
  • About Us
    • The Company
    • FDAnews Editorial Board
    • Contact Us
  • Advertising
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Home » Electronic Data Breach Ramifications Can Damage Operations, Reputation

Electronic Data Breach Ramifications Can Damage Operations, Reputation

October 10, 2006

With more than 55 million Americans identified as edata breach victims, 2005 may go down in history as the "Year of the Breach," said health industry privacy attorney Renee Martin at the Thirteenth Annual HIPAA Summit in Washington, D.C., Sept. 26.

The repercussions for FDA-regulated companies are serious, she said. In addition to running afoul of stiff federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) and 21 CFR Part 11, data breaches can lead to nasty and expensive class action suits, tort claims and contractual damages situations, Martin said.

But some companies don't realize that while HIPAA does not force companies to publicly disclose edata breaches, state laws in more than 20 states do. And those state laws trump HIPAA. The specter of public disclosure can mean that an edata breach also becomes a public relations nightmare that can slam a company's reputation, she said.

Unfortunately, "most businesses have not addressed adequately how to respond" to a data breach, she said. Many do not have a preventative action plan in place. Instead, they circle the wagons, begin pointing fingers and wallow in uncertainty after a data breach is detected, she said.

While having a plan in place before a breach is highly recommended, she offered tips and best practices on what to do in the event of a breach.

During the investigative phase, companies should focus first on the basics: how it happened and who was involved, she said. That means drilling down into the breach event. "Precision and specificity is critical," Martin said. Fixing the breach and preventing it from occurring again rely on "your ability to say with certainty what happened."

In many cases, formal or informal statements from witnesses may also be necessary, she said.

Just the Facts

In addition, get the facts up front on how much time you have to complete the investigation. Rules vary by state. For starters, determine whether relevant state or federal statutes apply only to edata or are broader in coverage.

Next, determine what data and what system was accessed, she advised. That means figuring out whether the stolen or breached data has already been misappropriated or could be in the future.

If you are a covered entity under HIPAA, understand the scope of any notice you must make outside your company, Martin advised. For example, in some cases notice must be delayed while law enforcement officials investigate the breach, she added.

A further challenge for companies is getting a handle on "unstructured data," said analyst Kevin Beaver in a white paper sponsored by Scentric.

"Many business executives don't understand what's really at risk and haven't bought into" the importance of protecting sensitive edata, he said. And many executives don't have any idea just how much sensitive data is stored in an unstructured fashion, Beaver said.

"I'm finding sensitive personal and business-related data stored in unprotected files in practically every nook and cranny across almost every network I look at," Beaver said.

He is an independent information security consultant and author of "The Practical Guide to HIPAA Privacy and Security Compliance," among other books. He said he finds unsecured data whether he browses the networks anonymously, logs in as a standard user or connects as an administrator-equivalent (see sidebar below).

Securing unstructured information is especially important, and difficult, in an ebased-system, Beaver said. -- Michael Causey

Network Managers Don't Know Where Sensitive eData is Stored

IT security specialist and author Kevin Beaver recently warned companies to "get serious" about identifying and protecting unsecured sensitive edata on their networks. He said he is regularly finding such edata in files that are:

Stored insecurely on Windows desktops, in temporary directories and in local folders; Missing proper access controls; Skipped over during backing-ups; and Not being properly archived.

In addition to the sheer volume of edata, he said a common problem is that users aren't trained in how to properly create and store that sensitive edata. Another problem is network and storage administrators installing new servers and storage systems without any central planning.

KEYWORDS FDA Regulations

    Upcoming Events

    • 28Sep

      The Cost of Counterfeiting: Why You Need a Plan to Secure Your Medical Device Supply Chain

    • 28Sep

      Calculating Sample Size to Satisfy FDA Expectations

    • 11Oct

      GMP Quality Management vSummit 2023: Where Quality Meets Risk

    • 16Oct

      MAGI@home Clinical Research Conference 2023

    • 26Oct

      FDA in 2024: What to Expect in an Election Year

    • 08Nov

      18th Annual FDA Inspections vSummit

    Featured Products

    • FDA, FTC and DOJ Enforcement of Medical Device Regulations

      FDA, FTC and DOJ Enforcement of Medical Device Regulations

    • Using Real-World Evidence in Drug and Device Submissions

      Using Real-World Evidence in Drug and Device Submissions

    Featured Stories

    • Manufacturing Cost is Key Issue Facing Gene Therapy Products, Marks Says

    • Artificial Womb Technology Not Yet Ready for Human Trials Adcomm Says

    • Top Concern for CBER is Marketing of Unapproved Biologics, Says FDA Official

    • FDA Deems Medline Industries’ Saline Solution Vial Recall as Class 1

    The Revised ICH E8: A Guide to New Clinical Trial Requirements

    Learn More
    • Drug Products
      • Quality
      • Regulatory Affairs
      • GMPs
      • Inspections and Audits
      • Postmarket Safety
      • Submissions and Approvals
      • Research and Development
      • Commercial Operations
    • Device Products
      • Quality
      • Regulatory Affairs
      • QSR
      • Inspections and Audits
      • Postmarket Safety
      • Submissions and Approvals
      • Research and Development
      • Commercial Operations
    • Clinical Products
      • Trial Design
      • Data Integrity
      • GCP
      • Inspections and Audits
      • Transparency
    • Privacy Policy
    • Do Not Sell or Share My Data
    Footer Logo

    300 N. Washington St., Suite 200, Falls Church, VA 22046, USA

    Phone 703.538.7600 – Toll free 888.838.5578

    Copyright © 2023. All Rights Reserved. Design, CMS, Hosting & Web Development :: ePublishing