Although healthcare IT leaders implement advanced cybersecurity solutions and robust security policies and procedures, there’s always the chance that a lone hacker (or an employee with malicious intent) will find that one vulnerability in a single piece of software or hardware. And just like that, your hospital can find itself staring down the barrel of a breach that threatens to expose thousands of patient records—and jeopardize your organization’s hard-earned reputation.
An urgent alert on hospital breaches
The COVID-19 pandemic has escalated cybercrime in the form of ransomware attacks, data theft, and the disruption of services according to the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.S. Department of Health and Human Services (HHS). These agencies released a joint cybersecurity alert on Oct. 28, 2020, warning hospitals and public health agencies of an imminent increase in these cyber threats. They urged healthcare providers to take the proper steps to safeguard their networks and IT infrastructure.
No matter how conscientious, no IT department can prevent every hospital data breach. In late 2019, a Black Book Market Research survey reported that more than 93 percent of healthcare organizations had experienced a data breach since Q3 2016. But the way you handle a crisis will determine how people perceive your hospital after the situation is resolved. The problem is, if you wait to develop a protocol response to a breach until one occurs, you’re too late. The best way to manage a breach is to carefully craft your approach before an incident happens.
Start by assigning a strong cross-functional response team to take responsibility for creating and carrying out a customized response to a specific breach. This group should include a team lead as well as representatives from your organization’s executive team, IT, legal, risk management, privacy, PR/Marketing, and customer service as well as any required third parties.
Next, develop, document, and maintain an incident response plan. This plan should define how to detect a breach, what information to collect and how to do so, and who to notify under what circumstances. Be sure to include contact information and timelines for notifications.
8 steps to take
With this important legwork behind you, you can enact your plan if (and when) a breach occurs. We recommend including the following steps in your response:
1. Deploy the cross-functional response team
As soon as you detect a breach, contact your response team to adjust your plan for the incident at hand and begin to act.
2. Identify and contain
Immediately identify the source(s) of the threat, the scope of effected systems and infrastructure, the attack vector (web, email, network, …). Choose your containment strategy, “Watch and Learn” or “Disconnect.” It is always better to develop your containment strategy in advance through scenario planning, also known as “tabletop exercises,” rather than in the middle of an incident. Without the evidence you can’t conduct a thorough investigation so archive all relevant system, application, and network log files for troubleshooting and forensic analysis.
3. Eradicate and recover
Close all network vectors of exfiltration. Close all vectors of reinfection. Remove all “Remote Access Trojans (RAT)” backdoors and compromised credentials. Seize impacted hard drives or make a forensic image. During the recovery process consider wiping or replacing effected hard drives and re-imaging using up-to-date master images. Restore systems and data from known good backups. Perform rigorous penetration testing or red teaming exercises to ensure that the fixes are fulfilling their intended purpose and to identify potentially unknown attack vectors that other attackers could exploit.
4. Conduct forensics and root cause analysis
If your internal team doesn’t possess the necessary forensic skills, enlist an external team of experts to assist in forensic analysis. While the initial fix will address the symptoms of the breach, forensic investigators are required to perform a root cause analysis and confirm the effectiveness of your eradication and recovery efforts. The root cause is also required to properly develop enhanced controls and preventative measures to keep the problem from recurring.
5. Perform risk and impact analysis
The 2013 HIPAA Omnibus Final Rule states that hospitals must perform notifications for any breach involving unsecured protected health information (PHI) unless the covered entity (CE) (e.g., the hospital) or business associate (BA) (e.g., a contractor providing services to the hospital) can demonstrate that there is a low probability that the PHI has been compromised or unless an exception applies.
A thorough risk assessment enables you to determine whether the notification rules apply to the particular breach. This risk assessment should look at factors such as the sensitivity of the data, whether the data was actually accessed or viewed, and whether that information was protected by methods like encryption that mitigate the risk of specific, personal data loss. This risk assessment should be documented and retained, which may prove crucial if the incident is later investigated or audited by regulators.
6. Notify outside parties
Should notification be required, you must be aware of who to contact and within what timeframe. HIPAA requires you to contact affected individuals no later than 60 days from discovery of the breach. You must also provide details to HHS, which must be provided contemporaneously with the notice to individuals if the breach involves more than 500 individuals. If the breach involves more than 500 residents of a state or jurisdiction, you’ll also need to notify prominent media outlets serving that region. Some states have more stringent reporting requirements; for example, California requires hospitals and certain other health facilities to notify a state agency within 15 business days.
The notification must include a description of the breach; the types of information involved; what the CE is doing to investigate, mitigate harm, and prevent future breaches; and contact details.
7. Manage the message
Even if you don’t need to notify patients of the breach, internal word will likely spread among staff. If you have a crisis communication plan, this may detail how to handle your response. It’s critical to develop an internal FAQ to alleviate fears and keep erroneous information from spreading and negatively impacting your organization’s good standing. If you do need to notify patients, HHS, and/or media outlets, craft an accurate, thorough response and establish exactly who will be authorized to speak publicly about the situation.
8. Reevaluate your security measures
Your data breach response plan should be a living document. Continually evaluate your plan and implement policies, procedures, and technology updates as individuals change roles, your organization evolves, and you implement new technologies that need protection.
While data breaches may seem inevitable, a negative impact on your hospital doesn’t have to be. By developing a plan of action in advance, you can act quickly, taking immediate steps to contain any problems, promptly notify affected parties, and maintain your hospital’s reputation.