A recent IBM Security report found that 2016 was a historic year for data breaches, and the healthcare industry “continues to be beleaguered by a high number of incidents.” And the bigger the organization, the greater the risk—a JAMA study released last week revealed that larger hospitals and teaching-focused facilities often have greater access to healthcare data, and consequently, more data breaches.
Despite healthcare IT leaders’ best-laid security policies and procedures, implemented by multiple security tools, there’s always the chance that a lone hacker will find that one vulnerability in a single piece of software or hardware. And just like that, your hospital can find itself staring down the barrel of a breach that threatens to expose thousands of patient records—and jeopardize your organization’s hard-earned reputation.
No matter how conscientious, no IT department can prevent every data breach. But the way you handle a crisis will determine how people perceive your hospital after the breach. As the author of the aforementioned JAMA study stated, “To understand the risk of data breaches is the first step to manage it.”
If you wait to develop a protocol response to a breach until one occurs, you’re too late. The best way to manage a breach is to carefully craft your approach before an incident happens. We recommend including the following steps in your breach response:
1. Plan ahead
Start by assigning a strong cross-functional response team to take responsibility for creating and carrying out a customized response to the specific breach. This group should include a team lead as well as representatives from your organization’s executive team, IT, legal, risk management, privacy, PR/Marketing, and customer service as well as any required third parties.
Next, develop, document, and maintain an incident response plan. This plan should define how to determine whether a breach is occurring, what information to collect about the breach, and how to do so, and who to notify under what circumstances. Be sure to include contact information and timelines for notifications.
2. Should a breach occur, contact the response team
As soon as you become aware of a breach, contact your response team to tweak your plan for the incident at hand and put your response into motion.
3. Identify, isolate, and contain the problem
Immediately identify the source of the problem, whether it was caused by a firewall with an open port, malware, or a successful phishing attack. Then quarantine the affected system and remove the attacker.
4. Test to make sure the flaw is fully resolved
Once the attack is contained, enlist an external team of experts to perform rigorous penetration testing to ensure that the fixes are fulfilling their intended purpose and to identify potentially unknown attack vectors that future attackers could exploit.
5. Conduct forensics and root cause analysis
While the initial fix will address the symptoms of the breach, investigators should also do a root cause analysis to prevent the problem from recurring. By using forensics to analyze traffic and locate anomalies, IT can eliminate guesswork and the need to reproduce the problem.
6. Risk and impact analysis
The 2013 HIPAA Omnibus Final Rule states that hospitals must perform notifications for any breach involving unsecured protected health information (PHI) unless the covered entity (CE) (e.g., the hospital) or Business Associate (BA) (e.g., a contractor providing services to the hospital) can demonstrate that there is a low probability that the PHI has been compromised or unless an exception applies.
A thorough risk assessment enables you to determine whether the notification rules apply to the particular breach. This risk assessment should look at factors such as the sensitivity of the data, whether the data was actually accessed or viewed, and whether that information was protected by methods like encryption that mitigate the risk of specific, personal data loss.
7. Notify outside parties
Should notification be required, you must be aware of who to contact within what timeframe. HIPAA requires you to contact affected individuals no later than 60 days from discovery of the breach. If the breach involves more than 500 individuals, you must also provide details to the Department of Health and Human Services (HHS). If the breach involves more than 500 residents of a state or jurisdiction, you’ll also need to notify prominent media outlets serving that region. Some states have more stringent reporting requirements; for example, California requires hospitals and certain other health facilities to notify a state agency within 15 business days.
The notification must include a description of the breach, the types of information involved, as well as what the CE is doing to investigate, mitigate harm, and prevent future breaches and contact info.
8. Reevaluate your security measures
Your data breach response plan should be a living document. Continually evaluate your plan and implement policies, procedures, and technology updates as individuals change roles, your organization evolves, and you implement new technologies that need protection.
While data breaches are inevitable, a negative impact on your hospital doesn’t have to be. By developing a plan of action in advance, you can leap to action, talking immediate steps to contain any problems, promptly notify affected parties, and maintain your hospital’s reputation.