Challenge
The company’s privacy team relied heavily on spreadsheets and an internal legal group to manage its privacy and security incidents.
Providing healthcare solutions to more than 5.5 million members in the U.S., this company faced an array of breach notification regulations, from HIPAA to 50 individual state laws. Their existing incident response workflow platform wasn’t going to cut it.
Solutions
The company dropped their existing incident response workflow platform in favor of Radar® Privacy.
Their original platform lacked critical features, such as automated multi-factor, multi-jurisdictional incident risk assessment, and breach notification recommendations. With an average of 50 incidents per month, the privacy team knew it had to replace this process with a streamlined solution – Radar® Privacy.
A large healthcare company boosts efficiency and reduces breach risk with Radar® Privacy.
A Fortune 200 company that provides healthcare solutions to more than 5.5 million members in the U.S. faces a bewildering array of breach notification regulations, from HIPAA to 50 individual state laws. The company’s privacy team relied heavily on spreadsheets and an internal legal group to manage its privacy and security incidents.
With an average of 50 incidents per month, the privacy team knew it had to replace this manual process with a streamlined solution. They tried an incident response workflow platform, but it lacked critical features, such as automated multi-factor, multi-jurisdictional incident risk assessment, and breach notification recommendations. They dropped this platform in favor of Radar® Privacy.
90-95% more efficient
“We did not have the resources for someone to monitor rule changes and updates full-time. This lack of dedicated attention increased the risk that a change to legislation or regulations could be missed.”
Every incident requires detailed documentation and a consistent incident risk assessment in accordance with all federal, state, and international laws where an organization conducts business or the affected individuals reside. Radar® Privacy is up-to-date with all breach notification regulations, saving the healthcare company’s legal team the hassle of monitoring them.
“With Radar® Privacy, we’re 90 to 95 percent more efficient in this respect,” the privacy team lead says. “Radar® Privacy also helps mitigate risk. We did not have the resources for someone to monitor rule changes and updates full-time. This lack of dedicated attention increased the risk that a change to legislation or regulations could be missed.”
Risk Assessments Completed in Half the Time
“All of the legal and regulatory requirements around breaches, notifications, and deadlines are built right into Radar® Privacy. This has created an easy workflow that’s saved at least 50% of the time it used to take to complete assessments.”
Prior to Radar® Privacy, the healthcare company struggled with a cumbersome manual process for reviewing the regulatory requirements for each new incident. “All of the legal and regulatory requirements around breaches, notifications, and deadlines are built right into Radar® Privacy,” says the privacy team lead. “This has created an easy workflow that’s saved at least 50 percent of the time it used to take to complete assessments.”
The privacy team lead also relies on the heat map Radar® Privacy generates for each incident, which reveals the risk of harm to impacted individuals. Another efficiency is the ability to get an assessment summary if the HHS Office for Civil Rights, a state attorney general, or another regulator requests documentation on a specific case.
Avoiding Costly Fines and Missed Deadlines
Contractual notification obligations are often measured in hours or days rather than weeks or months, and failure to meet the timelines can result in significant fines and penalties, including the possibility of a lost client. Radar® Privacy helps the healthcare company capture important contractual notification details for each external entity, including multiple notification timelines and contacts.
“Having Radar® Privacy populate the notification timelines for each contractual obligation has been a big help,” the privacy team lead says. “Before, we had to remember to look up the deadlines on our spreadsheet. If we missed a deadline, we could be fined $500 to $2,000 per contract.”
Reduce Follow-up on Incident Intake by 90%
Previously, the company only had a general mailbox for reporting incidents, which almost always required follow-up to get all the needed information. Now, the privacy team only has to follow up on about 10% of the incidents that are reported via Radar® Privacy’s incident intake forms. “The web forms really help guide the person reporting the incident in terms of the kind of information required,” the privacy team lead says.
One Assessment for Multiple Data Sets
Incidents don’t always involve a single data set; for example, a stolen briefcase may have a tablet, paper files, and a thumb drive, each with a distinct set of data impacted by different risk factors or regulatory requirements. Before Radar® Privacy, the healthcare company had to split such incidents into separate events—one for each data set.
Now the privacy team can better manage multiple data sets and the associated risk factors related to a single incident. These data sets are easily documented and assessed as distinct subsets of a single incident to maintain an accurate account of privacy data occurrences and to avoid over-counting incidents, significantly reducing assessment time.