Best practices: breach response

By Erin McCann
11:06 AM
'Don't give in to individuals who want to sugar coat this'

Some 90 percent of healthcare organizations have reported at least one data breach in the past two years, with more than a third seeing more than five breaches. Responding to these breaches in the proper manner proves integral not only to reining in costs and avoiding litigation but also to maintaining the integrity of the organization.

Gerry Hinkley, partner at Pillsbury Winthrop Shaw Pittman's healthcare practice, says breach response is an area where many make major missteps, mistakes that can easily be avoided. 

Hinkley, who spoke at the June HIMSS Media and Healthcare IT News Privacy and Security Forum in San Diego, works with myriad organizations on proper breach response. Many of them have faced legal action due to post-breach slip-ups on their part.

One of the biggest takeaways? "Don't give in to individuals who want to sugar coat this," he said. "You do much better really saying what happened up front ... individuals respect that."

First, in preparing for a potential HIPAA breach, organizations should engage their risk management department and look into purchasing cyber insurance, said Hinkley. But know what's in the insurance policy, as many cyber insurance policies are services agreements with pre-selected approaches to deal with breaches and subsequent notification.

"You need to be very careful in what you buy," said Hinkley.

Next, an organization should employ a centrally managed platform used to detect and prevent unauthorized use and transmission of data. Then it's a matter of performing a rolling risk assessment, with continual security improvements.

Make sure you train and authenticate personnel, said Hinkley, who advocated against the use of online-based training exercises.

"My recommendation is that you have much more job specific HIPAA incidence training," he said, as they typically prove to be more effective in the long run.

One of the cases Hinkley is currently working on involves a healthcare employee who emailed patient information to his home computer. This was a well-intentioned individual, he said, but one who'd only received training from an online module. 

Hinkley said employee training should be much more robust. "Not everybody who needs to be trained is getting training," he said. 

After the training piece, a healthcare organization should authorize and limit applications. Policies regarding notification, mitigation and reporting also need to be squared away, published and distributed.  

So what if a group does all this, and a breach still occurs?

Kick off an internal report, where upstream reporting proves critical, explained Hinkley. Breach notification should go all the way up the organization's chart to the CEO before HHS and the press are notified. 

And although covered entities and business associates have 60 days to report the breach to HHS and the press, Hinkley advised they don't take that long. The sooner the better. "Don't use the 60 days to your advantage, because it's the end zone," he said. If groups wait until the last minute, that trust level also goes significantly down. 

Immediately following the breach, passwords and authorizations should be changed, and all the evidence should be preserved, he pointed out. Involving legal counsel to enable the attorney-client privilege can also prove beneficial. 

Next, it's about remediation. 

"What we advise whatever the plan is, it should engender trust in your organization that you're doing the right thing," said Hinkley. "You can really put a lid on subsequent enforcement and litigation risk if you're very up front; you're apologetic; you're very clear on what the consequences are and you provide remedies that are well-tied to what the actual risks are that are presented to the individual."

Part of that includes implementing a 24/7 line available to those affected, and providing but not requiring credit monitoring for affected patients. 

Then, it's a matter of training, again. If the breach involved an employee who violated a policy or procedure, discipline is the way to go, said Hinkley. It's harsh but very much necessary.

"You can't put yourself in that position where somebody says, 'Well, gee, this is important, but it's not so important that my job could be compromised, or I could be disciplined in some way,'" he said. "Individuals who act out need to be dealt with," which includes those employees who act in "reckless disregard" for an organization's policies. 

Michael Allred, information security consultant and identity and access team manager at Intermountain, who also spoke at the forum, agreed. He recalled a conversation he had with his chief information officer, who very seriously told him: "If we have a data security breach, someone's going to lose their job." That's just the nature of the game nowadays. 

The big takeaway? Accountability, said Hinkley. It really does wonders for reducing subsequent enforcement and litigation risks.

Affected victims of a data breach believe their healthcare organization has "let them down," he said. "It's more than (if) you felt like Target let you down, or Neiman Marcus let you down, when your records may have been compromised," he explained, "because it's someone they trust for medical decisions."