How to Handle a Breach

By Art Gross, President and CEO, HIPAA Secure Now!
LinkedIn: Art Gross
X: @HIPAASecureNow
Read other articles by this author

Introduction:

“You’ve been breached”: three words that no business owner ever wants to hear, but for which they should be prepared. Data breaches have become an unfortunate reality for many organizations, especially those in the healthcare industry. Protecting sensitive patient information is not just a matter of compliance; it’s a crucial component of maintaining trust and reputation. In this blog, we will explore how to deal with a breach effectively, with a special focus on adhering to HIPAA regulations.

Section 1: Incident Response Plan

The first step in dealing with a data breach is having a well-defined incident response plan (IRP) in place. An IRP outlines the procedures and actions to be taken when a breach occurs. It should include:

Security Incident Response Team (SIRT):

Who are the stakeholders? Make sure these roles are defined and documented. Your SIRT may include:

  • Ownership/Management: leads response, likely in charge of PR
  • IT/MSP: responsible for restoring systems and conducting data forensics
  • Privacy/Security Officer: in charge of breach notification and documentation of incident, the response, and remediation steps

Identification and Containment
Detect and isolate the breach to prevent further data exposure.

Eradication and Recovery
Remove the threat and restore affected systems to normal operation.

Notification and Reporting
Notify the appropriate parties, including regulatory bodies and affected individuals.

Documentation
Keep a record of the incident, actions taken, and lessons learned for future prevention.

Section 2: Data Recovery and Backups

Data recovery is essential to restore normal operations after a breach. Regularly backing up your data is crucial, and these backups should be stored securely and tested for reliability. Be sure to have both cloud and non-cloud, offline backups. In the event of a breach, having clean and up-to-date backups can minimize downtime and data loss.

Section 3: HIPAA/Regulatory Concerns

Healthcare organizations must be acutely aware of their obligations under HIPAA and state regulations. Breaches can have severe regulatory consequences, including fines and legal action.

Ensure you are in compliance by:

  • Regularly reviewing and updating your HIPAA policies and procedures.
  • Conducting employee training to reinforce the importance of data security.
  • Engaging with a HIPAA compliance expert to perform regular audits.

Section 4: Breach Notification

Timely and accurate breach notification is a legal requirement. If a breach occurs, notify affected individuals and regulatory bodies promptly. The notification should include details of the breach, steps taken to mitigate it, and resources for affected individuals to protect themselves. If the breach affected more than 500 individuals, you will also need to notify the press without reasonable delay.

Section 5: Commonly Overlooked Items

Communication with Customers and Patients
Communicate transparently with affected individuals. Have a pre-written breach letter that demonstrates you are making a “good faith” effort to remedy the situation as soon as possible. You may also need to offer credit/identity monitoring.

Communication with the Press
Public relations are extremely important in the aftermath of a breach. Studies have shown that 60-65% of patients would leave their healthcare provider following a breach. In some cases, a press release or communication with the press may be necessary. Ownership or leadership should be prepared to make a statement and have a general idea of what to say before an incident ever happens.

Communication with Other Employees
Ensure your incident response team can communicate even if the usual channels are compromised. Maintain alternate contact information and establish communication protocols.

Data Forensics
Your IT company or another 3rd party will likely be responsible for determining what information was accessed during the breach. Understanding the scope of the breach can help in assessing the potential risks and impact.

Cyber Insurance
Your cyber insurance company should be notified of the breach immediately. They can potentially provide breach coaching/counseling, financial support, and/or a representative to communicate with cybercriminal(s). It is very important that you reevaluate your cyber insurance needs regularly, just like you would with other types of insurance. As your organization changes, your cyber insurance needs will likely change as well.

Human Impact
Don’t underestimate the emotional toll a breach can have on employees. Provide support, counseling, and resources to help them cope with the stress and anxiety that often accompanies a breach.

Conclusion:

Dealing with a data breach is a challenging process, but having a well-prepared and practiced incident response plan can make all the difference. Compliance with HIPAA regulations is non-negotiable for healthcare organizations, and it’s essential to be proactive in safeguarding sensitive patient information. By addressing commonly overlooked aspects, such as communication, data forensics, and employee support, you can minimize the damage and successfully navigate the aftermath of a breach while protecting your organization’s reputation and trust.

This article was originally published on HIPAA Secure Now! and is republished here with permission.