Page 32 - Layout 1
P. 32

BUSINESS

                                        continued from page 31

        T’wasn’t the Iceberg that killed the Titanic’s Passengers.

                                      It was Poor Policy and Training.
                             Accidents happen; Tragedy doesn’t have to.

              Decisions that caused the death of two-thirds of the 2200 passengers were made
                      a thousand miles away, and five years earlier than the ship left dry dock

• Begin with "Technological Hubris" - From the boardroom to the docks, the Design Committee of Major Con-
    struction firmly believed that the “Water Tight Compartments” made it impossible to sink. (Never, ever say
    "Never.")

• "Safeguards" were all Technical, not Personal and Physical
• Only 20 lifeboats instead of the 60 that would have had room for all 2100 passengers.
• There was negligible staff training — boat lowering of was NEVER drilled.
• There were NO passenger evacuation drills — the only one scheduled was cancelled the day of the crash.
• Of the 20 lifeboats:

      o Only 18 were launched
      o 2 Sank in the process
      o Most boats were half filled
      o 700 survivors of the 2200 passengers
      o The com officer was still using outmoded CQD ... Not SOS adopted in 1905
      o Nor were the emergency flares and rockets understood to be anything but fireworks by nearby ships

          ... that could have rescued the passengers.

 So when HIPAA calls for an annual Risk Assessment and analysis of office safeguards, don't think "CMS" or
  "HHS" ... Think of the RMS Titanic and the 1500 passengers who trusted in the "Can't never happen here"

                     doctrine. It can. It does. And if Policies and Processes aren't followed ... It Will!

liability carrier – and make sure your cyber liability insurance covers  among thieves: first payments can simply be the ante to an ongo-
the costs of ransomware removal, forensic investigation, breach no-      ing game you’re bound to lose.
tification, OCR investigation, and fines and penalties.
                                                                           David Schulz, certified information privacy and certified HIPAA profes-
   And if you don’t already have one, retain a lawyer who has han-       sional, is Executive Director and CEO of Cyber Risk Associates, LLC, com-
dled HIPAA incidents. If an attack was successful, is there some-        pliance specialists for small and boutique healthcare practices and associates in
one at your company that knows how to acquire bitcoins to pay            the San Antonio area. He is a community representative on the BCMS Com-
the ransom? An attorney would — as well as determining the risk          munications/Publications Committee.
of not paying the ransom at all. Recent trends show less-honor

32 San Antonio Medicine • October 2017
   27   28   29   30   31   32   33   34   35   36   37