I was having a conversation with a colleague today who reminded me of the new meaning of ‘Don’t ask – don’t tell’ when it comes to breach disclosure.
I actually heard this theme from health care clinics and companies in response to some of the new health care reform acts, including the one that addresses electronic health care records.
That is, according to the new laws, health care companies must disclose breaches that they discover. But if they don’t discover them, they don’t need to disclose them. I had one health care clinic tell me that a sister-hospital had a proof of concept test with a vendor that monitored access to their systems for abuse, misuse, and assorted types of information leaks. They were shocked by the misuse and abuse that was uncovered and told the vendor to go away and not come back. They didn’t want to know about the incidents because they didn’t want to disclose them.
So much for government incentives.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.