You’ve Had a Health Data Breach – Now What?

By Robert Lord
ICIT Fellow, Co-founder and CEO of Protenus

So, it happened. Your healthcare organization suffered a health data breach. Tens of thousands of electronic health records (EHRs) have potentially been compromised and you are still unsure of who the perpetrators were and how they accessed your system. What do you do now?

The first 72 hours after a health data breach are critical in determining how much damage the breach will cause. The first steps you take are arguably the most important because they will have a dramatic effect on the impact of the breach. In this post, we will take a closer look at the best practices for healthcare organizations after they have suffered a breach. In particular, we will examine how communicating, conducting a thorough forensic investigation, and documenting that investigation are some of the best ways for a healthcare organization to move forward after it has suffered a breach.

Be Prepared

Experts recommend that one of the first steps a healthcare organization takes after a health data breach is notifying everyone involved. This includes communicating internally – notifying the response team to put their plans into action and letting other employees know what happened – as well as communicating externally – notifying all affected patients and all appropriate government agencies.

When minutes matter, it’s important to be able to respond quickly and effectively. Organizations must be proactive and be aware of what federal and state regulations require in the event of a data breach. They should have a response plan ready for if and when it is needed. Otherwise, organizations will have to spend precious time trying to put a response team together and researching who they are required to notify by law.

Activating Your Response Plan

Internal communication in the aftermath of a health data breach is critical to mitigating the damage. Once a breach has occurred, it is time to notify your response team and put them into action. Normally, the leader of the response team is the chief privacy officer or someone from the legal department. However, organizations should not hesitate to employ as many resources as possible when responding to a breach. Thus, the response team should include members of the legal department, human resources, public relations, and customer service.

In addition, an organization might need to call on the expertise of external services after a breach, perhaps the most important one being digital forensic investigators, experts trained to locate evidence and reconstruct what happened during the breach.

Long-lasting damage to reputation and future revenue is at stake, so the action plan should access whatever resources necessary, regardless of cost.

The Who, What, and How of Health Data Breaches

Once the response team is activated, the forensic investigation can begin. This investigation examines who was behind the breach, what data was compromised, and how that data was compromised. It requires forensic investigation experts who can examine and determine where the perpetrators’ gained point of entry and which records were actually breached. In addition to technical experts, organizations with monitoring and forensics solutions in place can review the access to health data to determine if the breach was a result of insider threats or someone from outside the organization. This investigation allows an organization to pinpoint how the perpetrator was able to access the records, showing what weaknesses might remain within the organization’s security infrastructure.

If possible, an organization should conduct this investigation before notifying any victims, because the investigation will identify exactly what information was breached so the organization will only have to notify those patients who were actually affected and not simply a large number of people who might have been affected. The investigation is critical in providing the organization with as much accurate information as possible, allowing them to respond appropriately, truthfully, and effectively. However, there is always a careful balance between speed and thoroughness.  Waiting too long or being too thorough may expose affected patients to greater risk. An important job of the privacy officer is to thoughtfully consider and decide on the best course of action given these trade-offs.

Notifying Those Affected

In the wake of a breach, an organization generally must notify three different parties: affected patients, appropriate government agencies, and, if necessary, the local media. There are strict deadlines associated with notifying these entities, so an organization must ensure that it is aware of the deadlines and has a plan to meet them.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires a healthcare organization to notify victims within 60 days of the breach, but many states have different – and often stricter – deadlines. Likewise, HITECH requires an organization to notify the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) of all breaches. The organization must report any breach that affected less than 500 individuals annually. If, however, the breach affected more than 500 individuals, the organization must immediately notify OCR and it must also notify the local media.

Document Your Work

Once the investigation has begun, experts recommend that the response team makes sure to document everything they do. In particular, they should document:

• The situation immediately after the incident, including the state of any laptops or electronic devices;
• The forensic investigation itself and any steps they took before, during, or after the investigation. Proactive analytics solutions may automatically document incidents, how workforce members interacts with health data, and any comments or notes related to the investigation;
• The patients who were notified after the breach and the timeframe in which they were notified.

This documentation is important in case state or federal entities conduct an investigation of their own into the incident and the organization’s response to it. By keeping such documentation, an organization can prove that it met all notification deadlines and also highlight what steps it took to mitigate the damage after the breach occurred. Moreover, an organization can use the documentation to review how its response plan worked, allowing for improvements to be made in case it is needed in the future.

Mitigating the Damage

Unfortunately, many experts today view health data breaches as inevitable, since it is incredibly difficult to establish a privacy or security system that can prevent every type of data breach 100% of the time. An organization that has proactive patient privacy analytics that monitors health data incidents and provides forensics, in addition to a tested response plan, can help mitigate the severity of the breach damage. This combination allows the healthcare organization to quickly respond to a breach by conducting the investigation, gathering reliable information about the breach, and notifying affected parties quickly and effectively.

It’s not a matter of if, but when.  Planning and monitoring proactively will increase an organization’s ability to respond more effectively during a crisis. A little effort today will save tremendous effort down the road.

[clickToTweet tweet=”You’ve Had a Health Data Breach – Now What?” quote=”You’ve Had a Health Data Breach – Now What?” theme=”style3″]