June 1, 2021
Prepping for the Inevitable: Handling a Healthcare Data Breach
Did the Colonial Pipeline hack make you think about the vulnerability of your servers? Do you raise an eyebrow when you see headlines about yet another hospital cyberattack?
Good. Now, what do you do to ensure you’re as prepared as possible in the perpetually escalating game of cat and mouse that is data security?
Jarrard Inc. Vice President Justin Gibbs – our resident expert in data breach prep and crisis work – and Lynn Sessions, partner and leader of the Healthcare Privacy and Compliance team at national law firm BakerHostetler, recently offered their insight on dealing with these situations. Sessions is well-versed in the issue, having guided clients through over 700 incidents.
The issue is complex, of course, but her underlying recommendation is to get back to the basics. “What type of security do you have in place?” she asked. Are you doing security risk analysis? Do you have multifactor authentication in place? Are you educating your staff on the risks? It’s nearly the same advice we’ve been giving as long as I’ve been doing this.”
Beyond those basics, Gibbs and Sessions shared how hospitals and health systems should prepare and respond. Whether your organization has already fallen prey to hackers and scammers or is just waiting for the bad guys to attack, Sessions and Gibbs have legal and communications steps you can take today.
“Get prepared now,” said Gibbs. “you know that it’s going to happen. Get your ducks in a row so you can protect the reputation of your organization that you’ve worked so hard to build over the years.”
Note: This is a general conversation, not specific legal advice. For that, contact Sessions.
Before a Breach Happens
- Know the territory. Recognize the likelihood of an incident.
- Create an incident response plan. Gather an interdisciplinary group that will include legal, IT and comms, and may include finance and HR. Consider bringing in a legal or forensic firm to simulate a breach and practice your response.
- Assign roles. Make sure that approvals for various actions are well-defined and clearly owned. If you do have to make a payment, who signs off? What if that payment is demanded in cryptocurrency? How do you work with your board, and what’s their role?
- As you move forward in your compliance with transparency and interoperability and data blocking rules, talk about the security measures you have in place. Educate patients on how they can protect their PHI.
- Train your team for the aftermath of a breach. These incidents can require a hospital’s network be shut down for a day or three. Are your clinicians ready to break out the paper charts while your IT team gets your system back online?
When a Breach Happens
It’s a fine line. Patients and employees need to know about a breach, but you don’t want to create panic. Go with responsible transparency. Sharing every detail likely isn’t necessary and could be harmful. What you should do, though, is:
- Start with the legal requirements. There are specific rules for what needs to be reported. Talk to your legal team and get that out of the way.
- Acknowledge that this is a very personal, scary event for patients. It’s their information in the hands of, well, someone. And that someone doesn’t have good intentions.
- Be realistic about what the breach could mean. Don’t act like it’s no big deal.
- Explain what you’re doing to preserve patient privacy and to continue operations across your organization.
- Explain what you’ve learned from the incident and how it will inform future IT plans.
- Stick to a single set of facts. Pull all the information into one place, update it as needed and ensure anyone speaking on the issue gets their talking points only from that central source. Otherwise, you risk conflicting messages and extending the news cycle.