About two years ago, I had a call from my local bank asking if I had purchased a washer and dryer… in Barcelona, Spain. Somewhere, someone had gained access to my credit card number, and used it illegally for that  purchase overseas.

It was not too long after that that another bank informed me that my card had to be canceled because of a data breach at a national chain store where I had purchased some clothing. (I have since come to learn that this data breach has already cost their parent company over $220M.) Then, a few weeks later, another card had to be canceled and re-registered.  Finally, about three months after that, restrictions were placed on still another set of cards due to similar, but entirely unrelated breaches. Three cards, three banks, multiple breaches …and my wallet was still firmly tucked in my back pocket.

In a recent article in Forbes Magazine, the facts and figures of this new, growing phenomena were outlined statistically so as to begin to bring some sense to the table regarding what we are facing.  The authors, Joe Carberry and David J. Chamberlin state that “Only 36% of C-level executives are confident their organizations will not suffer data breaches in the  next 12 months.”

As healthcare gears up to go completely electronic, we must remember that there are, for all practical purposes, entire countries dedicating serious efforts to breach the United States data banks.  Hackers are no longer  identified as stereotypical, 98 pound computer savants.  Many of them are professional criminals and terrorists.  As a former CEO, I always had to be cognizant of the risk, then do whatever we felt we could afford to do to help mitigate that risk.  Rarely, however, have I seen any type of comprehensive commitment to a comprehensive, multi-faceted approach to this effort.

The laws that address data breaches involve not only civil but also criminal penalties, and the individual laws of various states are most times very different.  It doesn’t matter if your business is located in only one state. What matters is where your customers are from, and if they are a diverse group, you must comply with each
state law regulating breach notification.

SunStone Consulting, LLC, and Immersion Ltd., through their InfoLaunch suite of products, are positioned to assist you to prepare for any type of breach.  As Carberry and Chamberlin state, preparation must involve not only legal, but also communications, the C -suite, and risk management.  They further recommend the following steps:

1. Be prepared

2. Move quickly

3. Take action, and

4. Be responsible.

The  professional reputation damage that could be encountered by the hospital or physician practice that is not responsible, not prepared, slow moving, and not action-oriented can be devastating.

Are you prepared?