Singapore geared up to manage Personal Data Protection Act

Singapore’s Ministry of Communications and Information (MCI) announced yesterday that it would set up a Personal Data Protection Commission (PDPC) and a Data Protection Advisory Committee on 2 January 2013 to respectively administer, and advise on the Personal Data Protection Act (PDPA) which will come into effect on the same day.


Personal Data Protection Commission (PDPC) would administer and enforce the PDPA, the PDPC, supported by the Infocomm Development Authority of Singapore (IDA), will be established on 2 January 2013.

The PDPC will undertake education and outreach programmes to help organisations and the public understand the law, as well as issue advisory guidelines for organisations to comply with the PDPA, from the first half of 2013.

The Commission will also work closely with sectoral regulators such as the Monetary Authority of Singapore (MAS), as well as associations including Singapore Business Federation (SBF) and Consumer Association of Singapore (CASE) to help organisations adjust to and comply with the Act. It will set up the DNC registry in early 2014 for public registration.

Data Protection Advisory Committee will be formed on 2 January 2013, to advise the PDPC on matters relating to the key roles of PDPC, administration and enforcement of the Act.

According to earlier report, the act covers all private sector organizations engaged in data activities within Singapore. The commission can impose fines of up to 1 million Singapore dollars ( about 820,000 U.S. dollars) for every offense and penalties of 10, 000 Singapore dollars (8,200 U.S. dollars) for every unsolicited marketing call or message to a number in the “Do Not Call” registry. This move would be a major step in consolidating the data protection and privacy moves in Singapore.

In News: HITRUST And (ISC)2 Launch First Certification For Healthcare Info Security Professionals


First Certification for for Information Security Professionsla in Healthcare Industry

(ISC)²® (“ISC-squared”), the world’s largest information security professional body and administrators of the CISSP®, and the Health Information Trust Alliance (HITRUST), a non-profit organization responsible for the development, management, education and awareness relating to health information security and the leading organization aiding the healthcare industry in advancing the state of information protection, announced recently they have entered into an agreement to meet the growing demand for qualified security professionals who can protect sensitive healthcare information.

This relationship was also established to allow both organizations to connect with key stakeholders in the healthcare market that can contribute to building new IT security certification and education programs for healthcare professionals.

According to a recently released HITRUST report, “A Look Back: U.S. Healthcare Data Breach Trends,” the healthcare industry has made very little progress in reducing the number of breaches and that the industry’s susceptibility to certain types of breaches has been largely
unchanged since breach data became available from the U.S. Department of Health and Human Services (HHS) and the new Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act went into effect.

The HITRUST analysis concludes that every organization would benefit from better education of professionals and the simpler identification of the necessary skills in professionals available to assist them in their security efforts. In fact, HHS recommends that smaller organizations seek out certified professionals to help conduct risk assessment and analysis if they lack the capability in-house.

“Through this cooperative relationship, HITRUST and (ISC)² will work together to ensure information security professionals working in healthcare have the required skills to be successful within their organizations and careers,” said Daniel Nutkis, chief executive officer, HITRUST.

“Our experience has shown us that organizations with more knowledgeable security professionals manage information risks better and have more advanced information security programs. Healthcare organizations will benefit from having a simpler method to ensure their information protection professionals have the appropriate skills.”

94% of healthcare organizations had a data breach last year

The Ponemon Institute just released their third annual “Benchmark Study on Patient Privacy & Data Security.” Sponsored by ID experts, the survey and report looks at data breaches in the healthcare industry. While some organizations have taken steps to strengthen their privacy and security programs the research indicates the majority lack budget and resources to prevent or detect breaches.

The survey reveals some impressive data, similar to the trends last year. While 94% of the healthcare organizations have reported at least one incident, as many as 45% organisations reported more than 5 data breach incidents. The report is talking about clinics and hospitals that are part of a healthcare network (46%), integrated delivery systems (36%) and standalone hospital or clinic (18%).

Data breaches of health records information continue to be a problem for the entire health care industry. Healthcare organizations have been increasingly facing fines due to the unauthorized disclosure of patient information. High numbers of patient accounts are involved anytime a breach happens which can amount to several hundred thousand to several million dollars in fines.

Disclosures made regarding a patient’s protected health information (PHI) without their authorization is considered a violation of the Privacy Rule under HIPAA.

Costs of data breach

What causes the data breaches?

No doubt, the data breaches are costly in terms of HIPAA compliance and penalties, what really is causing this?

A report from the Health Information Trust Alliance (HITRUST) shows that the biggest cause of HIPAA data breaches is theft and loss of laptops and other portable media, not hackers. The perps are most likely not after the health data, they are after the devices themselves, and your staff unfortunately makes it relatively easy for them to gain access to the critical HIPAA data just came along for the ride.The HITRUST research found that only 8% of the breaches were caused by hacking and/or malware. HITRUST is a national consortium of healthcare professionals that helps the health industry protect patient data.

Is BYOD penetration a reason for high number of violations? Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure.

Sarah Kliff reported recently in the Washington Post’s Wonkblog that doctors emailing with their patients is becoming increasingly common. That means that the industry needs to pay particular attention to smartphones, wrote Art Gross at the HIPAA Secure Now blog. In a post titled, “Your Smartphone Will Cause Your Next Data Breach,” Gross aims his argument at healthcare workers who don’t think they have any patient information on their smartphones.

“Smartphones can be used to access EMRs [electronic medical records], PACS [picture archiving and communication system], to provide remote access to [spreadsheets and documents] and run thousands of applications that may contain patient information,” he wrote.

Recommendations

As the case with any information sensitive organization, healthcare industry to focus on their data security processes and best practises of information security. As the threat landscape changes rapidly and the value of information increases, management need to focus more on securing their IT assets. IT risk assessments need to be carried out at frequent intervals than a routine annual assessment. There is a need to set up[ a proper IT Governance mechanism at board level to ensure the important resource to the organization- data – is protected.

In its recent report, HITRUST recommends specific measures to control the data breaches in the health care industry.

Endpoint Security

o Conduct an accurate inventory of endpoint devices and develop a “bring your own

device” (BYOD) policy and management program.

o Ensure email access is controlled and encrypt email

o Encrypt mobile computing devices and consider encrypting desktops

o Ensure less mobile endpoints such as servers are adequately protected

Mobile Media Security

o Restrict the use of unencrypted mobile media, including backup media such as

unencrypted tapes
Paper Records

o Ensure paper records are adequately secured when transitioning to an EHR system

o Make employees aware of proper handling and disposal procedures

o Provide an adequate number of shredders or shredding bins in convenient locations9

o Ensure bins are emptied regularly and require onsite shredding if possible

o Centrally store and manage paper records in a secure location
Business Associates (BA)

o Formally assess and manage the risks incurred with a BA

o Classify and manage risks based on impact and likelihood of a breach by the BA

o Periodically rePevaluate BAs based on changing risks but no less than every three years

o Limit BA access to only the information minimally necessary to conduct business
Physician Practices

o Treat physician practices that connect to your organization as high risk

o Require similar assurances from physician practices that you obtain from BAs

o Ensure risks are comprehensively assessed: administrative, technical and physical

o Minimize effort by leveraging existing resources from HHS, HITRUST and others