hiddenheader
Web Content Viewer (JSR 286)
Customized coverage backed by 100 years of business insurance expertise
From the Experts
We are committed to providing tools and information valuable to you and your clients. Subscribe to have communications relevant to your business' success delivered to your inbox monthly.
SUBSCRIBE

CNA EXPERTS

Share this content via email or social networks
Published Tuesday, January 5, 2016
By

The Who, What, When, Where and How of Your Healthcare Data and Information Risk Assessments

How ransomeware makes healthcare wannacry.
  

Exposure assessments are essential in any healthcare business to help ensure that resources may be focused on protecting vulnerable areas. This quick “who, what, when, where and how” guide highlights any cyber liability exposures you may have in your business’ network.  

Who can see and/or have access to the sensitive or private information? Also referred to as account provisioning and regular access review, this provisioning ensures that access is provided only when needed. The review also prevents access “creep” where a user may transition to a new role and no longer has the same access capabilities.  

What sensitive or private information is in your custody? Conducting a data classification exercise permits you to determine what information you have on file that is sensitive, as well as its degree of sensitivity. Consider designing a classification system to determine the quantity and severity of sensitive information for which your organization is responsible.

When was the data created or saved on file? As a part of your records retention policy, data should be regularly checked to see if it should be properly and safely deleted or archived. The more “live” data you have, the more data that may be vulnerable to a cyber attack. 

Where is the sensitive or private information located? Database servers, workstations, web servers, laptops, file cabinets, records storage facilities and external hardware are all at risk of being hacked. Implement a data inventory exercise so you know where data is stored. This exercise should not only identify where data is stored, but also the external sources that store data in the event that a laptop or external hard drive is stolen. 

How do you contact individuals whose sensitive or private information is breached? The specifics of how to contact affected individuals and the information that must be provided depends upon the breach notification laws that apply. The applicable law is typically based on where the individual lives – rather than your state of incorporation or where the data was stored. It would be advisable to utilize a breach coaching expert and legal counsel to assist in this type of effort. 

You can never underestimate how critical it is to understand how sensitive information flows through your healthcare organization. Simply knowing where a cyber breach may occur represents the first step  in protecting that outlet. Always be prepared and check with legal and regulatory requirements. 

Please visit www.cna.com/healthcare or contact a CNA representative to see how your business can obtain coverage.  

One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
SUBSCRIBE

We are committed to providing tools and information valuable to you and your clients.

Subscribe to have communications relevant to your business' success delivered to your inbox monthly.

SUBSCRIBE
One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
Facebook
Twitter
LinkedIn
Email