4 data breach response best practices

By Rick Kam
10:00 AM

We’ll be honest. This is not another article about the details of data breach response—notification timelines, identity protection, remediation, and so forth. Data breaches are stressful events, and experience proves that such details are best handled by an expert third party. Instead, we’ll focus on the framework, or set of best practices in which to place these details — the how of a data breach response.

[See also: Living document: Our ACO final rule coverage all in one place.]

Most healthcare providers have their patients’ well-being at heart, and it’s this attitude of caring that can help an organization achieve compliance almost automatically. These best practices can help organizations demonstrate that goodwill in tangible, effective ways.

1.Take a PHI/PII inventory. An inventory provides a complete accounting of every element of PII and PHI that an organization holds, in either paper or electronic format. Through non-invasive interviews with line staff (people who use the data), we can determine how an organization collects, uses, stores, and disposes of its PHI. A professional inventory goes beyond IT security to determine the flow of data through an organization. Although it’s time-consuming and complex to go it alone, an organization can conduct its own inventory; the Internet is chock full of checklists. Redspin has 8 simple rules for protecting PHI.

Outsourcing this to the experts is actually much less expensive than it sounds. A risk assessment, which may include inventorying PHI is less than 1% the average cost of a data breach response —but it has big payoffs:
It provides a baseline for the Incident Response Plan, or IRP, by offering a clear picture of the risks for a data breach, so an organization can strategically protect PHI data and best plan for a response based on real information.

  • It helps an organization create a prioritized list of must-dos—and develop a budget to patch up the vulnerabilities and manage problems.
  • It demonstrates to patients and regulators that an organization cares enough to proactively protect its data.
  • While there is always something to improve upon, we usually find that most companies are doing the right thing most of the time. The problem is they aren’t documenting their compliance activities as part of their security or privacy policies. Documentation closes the loop on compliance issues, and reassures regulators they are doing the right thing for their constituents.

2. Develop an Incident Response Plan. We discussed IRPs in the first two articles in this series (3 Tips for surviving an OCR breach investigation and 9 steps to take during an OCR data breach investigation). An IRP is an effective, cost-efficient means for helping organizations create what regulators call a “culture of compliance”—and avoid or minimize the damages from a data breach.

  • A customized IRP is tailored to an organization to help it meet HIPAA requirements and guidelines related to data breach incidents. The personal nature of an IRP reflects an organization’s culture. Among other things it designates who is responsible for what and provides guidelines for the response team’s responsibilities and actions. It also includes instructions, worksheets, templates and sample materials for creating a tailored IRP. Such organized thinking gets tasks done faster, more efficiently, and with less expense. For example, a common problem with unthinking response is under- or over-notifying—a mistake that can cost thousands of dollars.
  • It encourages cross-departmental communication in an otherwise “siloed” environment. Perhaps an organization’s risk team is evaluating cyberliability insurance without involving the executives in compliance, privacy and information security in the evaluation process. Such policies can impose significant restrictions in control, flexibility and vendor selection when addressing data breach incidents. Another issue with isolation is the feeling that employees can’t communicate problems. We all want to put our best foot forward. So when an executive asks the IT department manager if a new security system has been properly implemented the temptation may be to answer “yes,” when really a few bugs need to be worked out. Often, miscommunications can be minimized since the IRP planning process forces crucial conversations to occur. 

3. Meet patients real needs.

That’s an obvious one, or is it? It’s a costly one, for sure. According to the results of

a 2010 study by the Ponemon Institute

, “organizations lose over $9 million to patient churn just from data breach incidents experienced over a two-year period.” Dollars aside, healthcare providers are, by nature, a caring group of people. They can lessen the impact of a data breach on their patients in a number of ways:

  • Offer “live,” knowledgeable support. Anybody can staff a call center with agents and a script. But in the middle of a crisis, patients need a “real” person who understands the specifics of their particular situation and can offer genuine support.
  • Provide the right type of help. One of the most annoying things we see in this industry is when healthcare providers offer credit monitoring to potential victims of medical identity theft. They are two separate issues. Medical identity monitoring is available, and smart organizations will offer it.

4. Look at data breaches as an opportunity. Believe it or not, data breaches have an upside: The opportunity to find all the vulnerabilities in an organization—and find the resources for fixing them. A data breach often opens up purse strings, giving privacy officers a budget where there may have been none. In addition, privacy officers and other response team members can prove their value to executives. Perhaps most importantly, it’s a chance for organizations to demonstrate goodwill toward their patients in the face of a crisis. It’s when times are tough that an organization shows what its real values are.

Every data breach is different, and the details will differ accordingly. But the determination to do the right thing in the face of a data breach should never waver. Taking a PHI inventory, establishing an Incident Response Plan, meeting patients’ real needs, and looking for the positive aspects of a data breach can all reflect your culture of commitment and caring. And that’s the best practice of all.


Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Christine Arevalo is director of healthcare identity management and a founding employee of ID Experts. She has experience managing risk assessments, complex crisis communication strategies, and data breach response for healthcare organizations.