Health IT and Electronic Health Activate your FREE membership today |  Log-in

Pabrai on HIPAA/HITECH Compliance

Feb 8 2011   2:48PM GMT

Learning from the Hack @ Nasdaq Computers

Posted by: Pabrai
hacking, HIPAA, HITECH, Risk Analysis

Computer systems that run the Nasdaq Stock Market have been repeatedly penetrated over the past year, reported The Wall Street Journal on February 5, 2011. The possible motives include unlawful financial gain, theft of trade secrets, and a national security threat to damage the exchange. The Nasdaq exchange is regarded by the government as critical, similar to power companies and air travel control operations – all considered part of the U.S. basic infrastructure. 

In the recent past, hackers planted potentially disruptive software programs in the U.S. electrical grid. In the case of the Nasdaq hack, it seems that the intent was to “snoop” and learn about the system; it does not appear that any information had been tampered with. The U.S. Secret Service and the FBI are investigating the matter.

Businesses and organizations are under constant attacks, with estimates of a an attack every 1.5 seconds on the business information infrastructure – about 60,000 attacks every day. In recent years U.S. authorities have experienced cyberattacks linked to computers in Russia, China and Eastern Europe.

With breaches on the rise with attacks from the outside and inside, it is critical to conduct a comprehensive and thorough assessment of the threats and vulnerabilities to the confidentiality, integrity and availability of all critical assets and sensitive information managed by the organization. When is the last time your organization conducted a risk analysis activity?

A checklist of steps to review to address breaches and incidents, include:

  1. Develop policy on Discovery, Reporting & Notification of Information Breaches
  2. Review, update and integrate security controls and reporting capabilities for incident management
  3. Create a specific procedure for information breach management
  4. Develop specific procedure for information breach notification
  5. Conduct training for all members of the workforce on your policies and regulatory mandates for security

It is not a question of if your organization will experience a breach. It will. It is a question of how quickly you can discover the incident and what are the specific steps that must be taken to address the assets and information that may have been compromised. In the case of many industries, including healthcare, there are severe fines and penalties related to breach notification. 

Have you recently reviewed and updated your organization’s policies, procedures and controls for managing breaches and incidents?

Review ecfirst breach and policy templates at the Resource Center at Contact Audra at to schedule a private Webcast focused on breach and incident management.

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: