What are best practices for data security?

Careful planning is a key component of an effective risk management approach by health care institutions to mitigate problems raised by data breaches, experts say.

“Work internally with your security folks and your (information technology) people,” said Tom Srail, Cleveland-based senior vp with Willis North America Inc. “Understand what your risk is, where your data is stored and how you plan to handle incident response.”

Patrick Moylan, New York-based senior associate with Dubraski & Associates Insurance Services L.L.C., said, “It comes down to knowing the scope and type of data that they're handling; and from there, developing concrete internal and external policies and procedures in terms of uses of technology, their computer network security procedures, the protections around their mobile devices, encryption and firewalls.”

It is matter of educating staff on the importance of this issue, said Lynn Sessions, counsel at law firm Baker & Hostetler L.L.P. While data security is very important, it also competes with other priorities, including hurricane and earthquake preparation, ensuring quality care and pay-for-performance issues.

“It's got to be made a priority in the organization, and it really does begin with the C-suite,” but is “often overlooked,” said Ms. Sessions. Engaging top executives on this issue “goes a very long way.”

“Identify a key person with accountability and responsibility within the organization for overall privacy and security,” said Oliver Brew, New York-based vp of specialty casualty at Liberty International Underwriters, a unit of Liberty Mutual Group Inc.

“If you have a leader who can embed a culture of privacy, then everything else will flow from that,” Mr. Brew said. “You need a champion” who can obtain a budget and interact with multiple departments to define their obligations, he said.

“We view education as critical to this issue,” ensuring that people are “aware that what they're doing does carry consequences if they do it inappropriately,” said Robert Parisi, senior vp at Marsh Inc.'s FINPRO practice in New York.

“A lot of breaches happen through just poor practices by individuals—everything from clicking on links they shouldn't click on, to downloading things on the Internet they shouldn't download, to speaking about things they shouldn't speak about,” said Nicholas Economidis, an underwriter of professional liability and specialty lines with Beazley Group P.L.C. in Philadelphia.

Encryption is also important. “If the budget is there,” encryption can make a dramatic difference; and, in fact, some state regulations already reflect that by offering safe harbors in cases where encryption is in place, said Mr. Brew.

Mr. Economidis said testing computer controls, including firewalls and anti-virus software, remains important. An automated vulnerability scan will provide recommendations on how to fix problems in system security, he said.

It is helpful to compartmentalize information to avoid having a large amount of data in one place that is vulnerable to an attack, said Mark Silvestri, Quincy, Mass.-based vp of product development and director of NetProtect at CNA Financial Corp.

In addition, Mr. Srail said more health care providers are attempting to “mask the information” so workers see only information that is essential for their particular job. “That's obviously a smart thing to do,” he said.

“Be mindful of how the environment is changing, because these controls in place are generally pretty static” and health care institutions must remain vigilant in terms of how information can be compromised and seek ways to protect it, Mr. Silvestri said.

Health care providers also should have an incident-response plan in place, said observers.

“The breach response process is complicated and can be a very time-consuming process,” said Mr. Moylan. “Having essentially a breach response team in place—and having the internal communication between, say, compliance, legal, risk management, IT, all those departments on the same page in terms of who's doing what and how to respond to a breach—is certainly important,” he said.

“Communicating those policies internally and externally to any third parties that you're working with, then, is a continual process of reviewing and monitoring and assessment,” Mr. Moylan said.

Mr. Srail said, “Know where the contracts are, so you can get the information quickly and determine if there is insurance coverage” when there is a breach. Privacy or cyber coverage is “definitely something to consider.”

The marketplace “has gotten softer over the past 10 years,” and the coverage available is the cheapest and broadest to date, he said.

However, warned Mr. Parisi, “You don't want to have insurance as an alternative to taking appropriate risk management steps.”