Example Engagement Post-Breach Risk Assessment for a University Health System
After a breach of protected health information (PHI), a university health system engaged outside counsel and HALOCK to create a risk-based roadmap toward “reasonable” and “appropriate” security. The health system was concerned that the Department of Health and Human Services Office for Civil Rights (“OCR”) would impose an unreasonably burdensome security plan. The team used Duty of Care Risk Analysis (“DoCRA”) to define the health system’s acceptable risk definition which included their mission to care for the university community, their objectives to operate as a successful health system, and their obligations to protect their patient population and protected health information. The health system could then evaluate both their security risks and security controls for reasonableness to be sure that neither the risks nor the burden of controls would be too great. HALOCK conducted a risk analysis of the environment that caused the breach, vetting our findings with counsel prior to delivery to the client. HALOCK and outside counsel modeled a roadmap for reducing the identified risks to a degree that OCR found to be “reasonable” and that they accepted as the foundation for the health systems’ risk management program.
Reasonable Security is Now Defined
The Sedona Conference – an influential think tank that advises attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.
Reasonable Security Resources
In Archive360’s Podcast Episode 29: What is “Reasonable Data Security”?, Bill Tolson and Chris Cronin, Partner, Governance and Engineering Practice at HALOCK Security Labs try and define “reasonable data security” – a term that continually appears in every states’ privacy law or proposed legislation.
PODCAST: Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management.
RIMS: RiskWorld Recording: Reasonable Security & The Questions a Judge Will Ask You After a Data Breach In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them.
HALOCK Security Labs is headquartered in the Chicago area. We partner with lawyers and attorneys to advise and support their clients on reasonable information security strategies and cyber due diligence.