On the surface, the news seems hopeful: The number of patient records compromised by hackers is declining.
But that’s no reason to breathe easy, as overall incidents are on the rise. The 46 healthcare data breaches in April 2019 mark the highest monthly tally since federal authorities began publishing breach statistics more than a decade ago, according to the HIPAA Journal.
No facility is immune. Breaches hit hospitals and clinics of all stripes, as evidenced by a Becker’s Hospital Review list of recently affected providers. Just as concerning, a HIMSS and Symantec study found 75 percent of healthcare organizations spend 6 percent or less of their IT budgets on cybersecurity — a smaller share than some other industries, such as banking and finance.
Which is why healthcare leaders shouldn’t view hacking as a “what if” hypothetical. It should be an expected scenario that’s as central to contingency plans as a facility fire or a natural disaster.
Although specifics may vary, these basic steps can help inform every team’s game plan.
Prepare a Healthcare Data Breach Response Plan
It’s not enough to discuss how you’ll react if a breach occurs. A formal written plan must be established, circulated among leadership teams and IT staff, and reviewed on a regular basis to ensure action points are up to date and consider a variety of potential problems.
Working with key stakeholders in your business should help determine which data and systems require immediate attention, Jesse Wiener notes on CDW’s Solutions Blog. Having that formal evaluation in place can reduce chaos and properly divert resources during a crisis.
It’s also critical to review your IT team’s capacities. Keep a list of trusted vendors and partners at the ready if a breach is unmanageable. After all, “you’re only as strong as your weakest link,” Halifax Health Vice President and CIO Tom Stafford said at this year’s HIMSS conference.
React Decisively, Then Prepare for the Next Breach
First, remain calm. Document the specific facts — including the date and time the breach was discovered, how you were notified of the problem and what actions were taken. This will be crucial when communicating with authorities, partners and patients.
A recent blog post by SecurityMetrics details the crucial first steps. Among them: disconnecting affected systems, disabling access points, changing passwords and credentials, and segregating all hardware devices and internet traffic in the EMR. Collect further documentation by quarantining identified malware and taking screenshots of firewall settings and security logs.
As soon as things are under control, conduct a post-breach review. As systems come back online and workflows resume, organizations should address and review breach notification methods, whether the right people were notified and what new steps can be taken to avoid a repeat occurrence.
Communicate Data Breach News with Honesty, Caution
It might seem logical to keep quiet, but silence isn’t an option. Transparency is the law: The HIPAA Breach Notification Rule requires covered entities to report a breach within 60 days to the U.S. Department of Health and Human Services if 500 or more individuals are affected.
Work with your media relations and legal teams to properly inform authorities (smaller breaches may be submitted annually) as well as your employees. The latter notification is key to helping staff learn to recognize threats such as phishing — and to prevent staffers from discussing the breach externally.
Depending on the size and scope, the breach may require public statements. Admitting a weakness may be difficult, but withholding the news for an extended period can also erode trust. Explain only necessary details and assure patients that their data is secure.
Document your organization’s actions throughout the process. Make note of missteps your organization may have taken and record the reactions from both the public and your employees. By conducting this review, your organization will be better equipped to respond to data breaches in the future.