5 steps to take after experiencing a data breach
It’s essential to take the steps necessary to prepare against a data breach, but after one does occur, knowing how to respond can make all the difference.
Mahmood Sher-Jan, vice president of product management at ID Experts, offers five steps to take once a breach has happened.
1. Widen your response team. Once you’ve employed your initial incident response group, said Sher-Jan, it’s essential to “engage the various resources on your team. ... The team may have been doing the initial investigation as a small team, but now you have a breach and you may have to include a broader set of people in the organization.” And those people could include internal resources, but also outside resources who can help begin the process of notifications and assessing who needs to be notified and how.
2. Determine who to notify, and how. Another component of the overall response plan is to determine who needs to be notified and how to go about doing it. “They need to keep in mind the segmentation of the patient base and the nature of the covered entity,” said Sher-Jan. “There may have been population data sets whose records have been compromised, and they may not have been homogeneous.” For example, some patients can be minors and others deceased. “There are special considerations you have to take when it comes to healthcare.” Keep in mind, Sher-Jan added, how employees will be expected to deal with and explain the situation to patients. “That’s a sensitive part of the business,” he said. “Organizations shouldn’t take that lightly because that’s where their organization is most at risk – that inbound activity can make a tremendous difference with their reputation and overall cost.”
3. Keep the patient population in mind. When thinking about your different patient populations, Sher-Jan added, it’s important to consider different means of communication. “If they’re a minor, it doesn’t make sense to offer them credit monitoring, for example,” he said. However, a text message alert may be more appropriate, whereas an elderly patient would prefer a letter in the mail. “The scenario is going to depend on the profile of the patients you have,” he said. When it comes to younger patients, social media may also be a viable option, but Sher-Jan warned to be careful. “It may be a preferred way to receive notifications, but it’s an evolving piece that needs to be thought out,” he said. “It makes such a viral impact, that you don’t want to send out the wrong information.”
4. Know your state and federal laws. "You have to know if there are federal or state agencies that are expecting certain notification or reporting once these incidents occur," said Sher-Jan. "Primarily HITECH; depending on the number of days since you've been compromised, either contemporaneously or within 60 days, you have to notify HHS Office for Civil Rights." Keep in mind that each state has its own set of "obligations," said Sher-Jan. “There’s a whole state-level requirement, and sometimes, those agencies want to see an example of your individual notifications,” he said. "You have to make sure they approve of what you’re telling patients, or victims. For example, sometimes they may require you to report it to a [credit tracking system]. So, it can vary."
5. Ensure everything is well documented. Lastly, Sher-Jan emphasized the importance of documenting all your processes. "Based on the profile of your institution, you could get a knock on the door from HHS or OCR or your state agency, and you need to make sure you survive the investigation," he said. "Make sure it doesn’t result in additional demands on your compliance structure and operations; it's important to anticipate a follow up and have your ducks in a row." Lastly, Sher-Jan advised if you use outside services and vendors to make sure they can help and support you in that process. "Make sure they’re using additional documentation that can support your activity when the incident occurs."
Follow Michelle McNickle on Twitter, @Michelle_writes