Responding to a Healthcare Data Breach

Faith Kubicki April 17, 2020

    With a record number of healthcare data breaches occurring in 2019 – 510 incidents of 500 or more records each, according to the HIPAA Journal – organizations are becoming more attentive to their security controls. Preventive measures, such as penetration testing and strong cybersecurity controls, can reduce the risk of a breach. However, the constant introduction of newer (and more sophisticated) threats means that the potential for an incident can never be completely eliminated.

    Proactive Planning can Reduce Breach Resolution Costs

    While prevention should be an organization’s primary focus, it’s crucial to prepare for a potential worst-case scenario. A documented plan prevents reactive decision-making, while enabling a faster response. This is one of the most reliable ways to reduce the cost (and organizational impact) of a healthcare data breach.

    Developing Your Data Breach Response Plan

    According to the NIST 800-61 Computer Security Incident Handling Guide, an incident response plan should include:

    • A definition of who is in charge of managing the incident.
    • A definition of what constitutes a breach and impact categories
    • Incident notification procedures
    • Regulatory requirements (such as HIPAA-mandated timeframes for notifying impacted parties)
    • Pre-drafted copies of crisis communications (with specifics that can be adjusted to the situation at hand)
    • Procedures for evidence preservation
    • Guidance for conducting a root-cause analysis after recovery has been completed

    Each employee on your Response Team should have clear roles and responsibilities, and each action should be part of an organized timeline.

    Assembling a Response Team

    A breach response team should consider including representatives from:

    • Information Security
    • Information Technology
    • Legal
    • Operations
    • Human Resources
    • Communications
    • Investor Relations
    • Any other relevant business unit leaders

    The team makeup should also define which members require 24/7 availability.

    Senior management should also contribute to the development (and execution) of an incident response plan.

    Elements of Your Healthcare Data Breach Response Plan

    Step One: Containment

    As soon as a breach is identified, containment is the top priority. Containment strategies will vary based on the type of incident. Containment criteria should consider:

    • Potential damage to and theft of resources
    • Need for evidence preservation
    • Service availability
    • Time and resources needed to implement the strategy

    Step Two: Eradicate the Issue

    Once the issue has been contained, work to eliminate the root cause. Remove malware, apply updates, and patch systems to address their vulnerabilities. During this phase, it is important to identify ALL affected hosts within the organization. Once complete, you can begin returning your systems to production.

    Step Three: Recovery

    Restore systems to normal operation, confirm systems are functioning normally, and remediate vulnerabilities to prevent future, similar incidents.

    Step Four: Notify the Appropriate Parties

    The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected information (PHI.) The Federal Trade Commission’s Health Breach Notification Rule prescribes a similar requirement for vendors of personal health records and third-party service providers.

    After a healthcare data breach, organizations must provide:

    • Individual notice – Organizations must notify all individuals impacted by the breach, informing them the nature of the breach, the types of information that has been exposed or stolen, what type of breach response plan is in place, and how affected individuals can mitigate their own risk.
    • Media notice – Organizations must submit a breach notification to a prominent media outlet in the area in which they operate, and a substitute breach notice should be uploaded to the organization’s website.

    The time frame in which this notification must be issued depends on the number of records that were involved, as well as the company’s location. Some states have more stringent data breach laws, requiring faster notifications. Local regulations may also require the provision of credit monitoring and identify theft protection services.

    Step 5: Root Cause Analysis

    One of the most important parts of incident response is learning and improving. Conducting a root-cause analysis will help the organization improve security measures and can help improve the incident response plan as well. In conducting a root cause analysis the following  questions should be considered:

    • What happened and at what times?
    • How well was the incident handled? Were documented procedures followed? Were documented procedures adequate?
    • Were any steps or actions taken that may have inhibited recovery?
    • How could communications have been improved?
    • What corrective actions could prevent a future, similar incident?
    • Were there signs that were missed? Does monitoring need to be refined?

    Testing Your Healthcare Data Breach Response Plan

    Once you have drafted a policy, test your response plan. A test can range from a meeting  where a scenario is defined and members of the team walk through the plan to discuss the handling of the plan of share perspectives to make relevant updates to the plan to a full simulation of an event to test a plan. The need for where on this spectrum testing should occur for each organization should be determined based on the cost / benefit of conducting testing at various levels.

    Preventing Future Data Breaches

    “The only thing worse than a data breach,” notes the FTC, “is multiple data breaches.” This is especially true of protected health information and medical data, for which the consequences of a breach can be especially high.

    Once your organization has recovered from the initial impact of the breach, you’ll need to improve your security posture to prevent another incident. The most appropriate steps will depend on the maturity of your cybersecurity program prior to the breach, but may include:

    • Introducing new controls
    • Investing in employee training
    • Gaining a third-party evaluation of your security program

    Rebuilding Trust

    A healthcare data breach can cause a considerable loss of trust. This not only applies to public perception of your organization, but internal confidence in the design and implementation of your controls.

    An independent assessment of your security and privacy efforts can help rebuild both. An auditor can identify the vulnerabilities that led to the recent incident, as well as other vulnerabilities that could potentially be exploited.

    Audits also provide third-party documentation that can help restore your image. Depending on the specific type of engagement, you may receive a formal report that you can share with clients and stakeholders (as is the case with a HIPAA Compliance Assessment or SOC Report for Cybersecurity), or you may earn a certification if specific requirements are met (as is the case with HITRUST).

    At 360 Advanced, we’ve helped a number of healthcare organizations – from some of the largest payors in the industry to small telemedicine platforms – improve their security posture. Providing risk assessments, penetration testing services, and a wide range of cybersecurity and compliance assessments, we can help you respond to – or reduce your risk of experiencing – a healthcare data breach. Our team is dedicated to helping making better businesses. For more information, contact us today.