[BreachExchange] You’ve Had a Health Data Breach – Now What?

[Audrey McNeil]

http://complianceandethics.org/youve-health-data-breach-now/


So, it happened. Your healthcare organization suffered a health data
breach. Tens of thousands of electronic health records (EHRs) have
potentially been compromised and you are still unsure of who the
perpetrators were and how they accessed your system. What do you do now?

The first 72 hours after a health data breach are critical in determining
how much damage the breach will cause. The first steps you take are
arguably the most important because they will have a dramatic effect on the
impact of the breach. In this post, we will take a closer look at the best
practices for healthcare organizations after they have suffered a breach.
In particular, we will examine how communicating, conducting a thorough
forensic investigation, and documenting that investigation are some of the
best ways for a healthcare organization to move forward after it has
suffered a breach.

Be Prepared

Experts recommend that one of the first steps a healthcare organization
takes after a health data breach is notifying everyone involved. This
includes communicating internally – notifying the response team to put
their plans into action and letting other employees know what happened – as
well as communicating externally – notifying all affected patients and all
appropriate government agencies.

When minutes matter, it’s important to be able to respond quickly and
effectively. Organizations must be proactive and be aware of what federal
and state regulations require in the event of a data breach. They should
have a response plan ready for if and when it is needed. Otherwise,
organizations will have to spend precious time trying to put a response
team together and researching who they are required to notify by law.

Activating Your Response Plan

Internal communication in the aftermath of a health data breach is critical
to mitigating the damage. Once a breach has occurred, it is time to notify
your response team and put them into action. Normally, the leader of the
response team is the chief privacy officer or someone from the legal
department. However, organizations should not hesitate to employ as many
resources as possible when responding to a breach. Thus, the response team
should include members of the legal department, human resources, public
relations, and customer service.

In addition, an organization might need to call on the expertise of
external services after a breach, perhaps the most important one being
digital forensic investigators, experts trained to locate evidence and
reconstruct what happened during the breach.

Long-lasting damage to reputation and future revenue is at stake, so the
action plan should access whatever resources necessary, regardless of cost.

The Who, What, and How of Health Data Breaches

Once the response team is activated, the forensic investigation can begin.
This investigation examines who was behind the breach, what data was
compromised, and how that data was compromised. It requires forensic
investigation experts who can examine and determine where the perpetrators’
gained point of entry and which records were actually breached. In addition
to technical experts, organizations with monitoring and forensics solutions
in place can review the access to health data to determine if the breach
was a result of insider threats or someone from outside the organization.
This investigation allows an organization to pinpoint how the perpetrator
was able to access the records, showing what weaknesses might remain within
the organization’s security infrastructure.

If possible, an organization should conduct this investigation before
notifying any victims, because the investigation will identify exactly what
information was breached so the organization will only have to notify those
patients who were actually affected and not simply a large number of people
who might have been affected. The investigation is critical in providing
the organization with as much accurate information as possible, allowing
them to respond appropriately, truthfully, and effectively. However, there
is always a careful balance between speed and thoroughness.  Waiting too
long or being too thorough may expose affected patients to greater risk. An
important job of the privacy officer is to thoughtfully consider and decide
on the best course of action given these trade-offs.

Notifying Those Affected

In the wake of a breach, an organization generally must notify three
different parties: affected patients, appropriate government agencies, and,
if necessary, the local media. There are strict deadlines associated with
notifying these entities, so an organization must ensure that it is aware
of the deadlines and has a plan to meet them.

The Health Information Technology for Economic and Clinical Health (HITECH)
Act requires a healthcare organization to notify victims within 60 days of
the breach, but many states have different – and often stricter –
deadlines. Likewise, HITECH requires an organization to notify the U.S.
Department of Health and Human Services (HHS) Office of Civil Rights (OCR)
of all breaches. The organization must report any breach that affected less
than 500 individuals annually. If, however, the breach affected more than
500 individuals, the organization must immediately notify OCR and it must
also notify the local media.

Document Your Work

Once the investigation has begun, experts recommend that the response team
makes sure to document everything they do. In particular, they should
document:

The situation immediately after the incident, including the state of any
laptops or electronic devices;
The forensic investigation itself and any steps they took before, during,
or after the investigation. Proactive analytics solutions may automatically
document incidents, how workforce members interacts with health data, and
any comments or notes related to the investigation;
The patients who were notified after the breach and the timeframe in which
they were notified.

This documentation is important in case state or federal entities conduct
an investigation of their own into the incident and the organization’s
response to it. By keeping such documentation, an organization can prove
that it met all notification deadlines and also highlight what steps it
took to mitigate the damage after the breach occurred. Moreover, an
organization can use the documentation to review how its response plan
worked, allowing for improvements to be made in case it is needed in the
future.

Mitigating the Damage

Unfortunately, many experts today view health data breaches as inevitable,
since it is incredibly difficult to establish a privacy or security system
that can prevent every type of data breach 100% of the time. An
organization that has proactive patient privacy analytics that monitors
health data incidents and provides forensics, in addition to a tested
response plan, can help mitigate the severity of the breach damage. This
combination allows the healthcare organization to quickly respond to a
breach by conducting the investigation, gathering reliable information
about the breach, and notifying affected parties quickly and effectively.

It’s not a matter of if, but when.  Planning and monitoring proactively
will increase an organization’s ability to respond more effectively during
a crisis. A little effort today will save tremendous effort down the road.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170214/b57ff86b/attachment.html>