Healthcare organizations (some, at least) prep for data breaches with drills, simulations and more

While payers and large health systems have detailed, cross-departmental protocols to manage security incidents, many hospitals 'don't even have plans in place.'
By Chuck Green
02:13 PM
data breach simulation

Several years ago, Blue Cross Blue Shield of Tennessee experienced a theft of hardware. Although it has no evidence that any information was accessed or used, like other healthcare organizations, BCBST recognizes its vulnerability to similar incidents or cyber attacks.

BCBST conducts one to two practice sessions per year, ranging from tabletop exercises to staging mock incidents, said Mark Williams, BCBST's principal systems security officer.

In a tabletop exercise, of course, participants review a simulated emergency situation. The drills, said Williams, are part of the facility's information security and information systems preparedness.

While Williams said BCBST's plan for an actual event – which has been upgraded since the theft – is proprietary, protocol includes notification of members of its computer response team and the opening of what he described as a bridge call. In a bridge call, impacted parities dial in to participate in real time communication to work through various elements "we believe are found in the incident," continued Williams. 

[Also: Buyers Guide to intrusion detection and prevention tools]

BCBST also utilizes at rest data encryption, a key preventive measure to protect sensitive data, Williams noted. Furthermore, a designated incident manager at BCBST – whose role is to ensure "we don't miss anything that might come back to haunt us," – oversees the overall event and determines when information is released and to whom, he said.

According to the latest Ponemon Institute study, data breaches data could be costing the healthcare industry $6.2 billion. Nearly 90 percent of healthcare organizations represented in this study had a data breach in the past two years, and nearly half, or 45 percent had more than five data breaches in the same time period. The majority of these breaches were small, containing fewer than 500 records.

Still, for the second year in a row, criminal attacks are the leading cause of data breaches in healthcare. In fact, 50 percent of healthcare organizations say the nature of the breach was a criminal attack and 13 percent say it was due to a malicious insider, Ponemon indicated.

Meantime, at Mount Sinai Health System in New York, a cyber breach would be managed by legal, regulatory and IT – all of whom have protocols in place to ensure compliance with regulatory and legal requirements, according to Kevin Chason, medical director, emergency management. Its management teams would assist with coordination where additional resources might be needed: "We've also conducted drills with all of these groups in this area to practice the procedures."

To help prevent or minimize technology blackouts due to, for example, a cyber incident or power outage, Chason said staff members are trained to ensure they're prepared to continue to provide patient care during a cyber breach.

"We conduct drills with our clinical staff where we teach them how to practice medicine the old fashioned way, like using paper, before we had computers," he said.

The health system also conducts exercises based on how to mobilize various groups to help manage a range of issues, such as communicating with the those behind an incident, he added.

Sign up for the Healthcare IT News Privacy & Security Update newsletter.  

In light of the real thing, Mount Sinai's emergency command system is activated and the director of emergency medicine helps coordinate operations and bring in resources. That way, an incident won't disrupt the facility's ability to continue to manage daily operations, said Chason.

But about half of all organizations have little or no confidence that they can detect all patient data loss or theft, according to Ponemon. Although there's been a slight increased investment over last year in technology, privacy and security budgets – as  personnel with technical expertise – the majority of healthcare organizations still don't have sufficient security budget to curtail or minimize data breach incidents.

Along those lines, in a number of instances, hospitals and other healthcare facilities lack proper planning – if any at all, says Candy Alexander, a Boston-based cybersecurity expert.

"Unfortunately, hospitals, clinics or those types of institutions really don't prepare -- never mind practice" – for a cyber event, noted Alexander. "A lot of them don't even have plans in place."

Why not? "I don't think they fully understand what that entails or means."

On top of that, while many healthcare organizations know they're required to have both a privacy and security officer, in many instances, "they don't understand their role and expectations," said Alexander, who has more than 30 years' experience in cyber security.

"An organization adds that responsibility to an individual's job title," she said. "If (that individual) is self motivated, they go out and find out what that means, but often they don't." 

[Commentary: Healthcare providers must spend more on cybersecurity readiness]

Exacerbating matters, said Alexander, data breaches, previously an issue primary in the financial sector, has shifted to healthcare, which is widely regarded as a "soft target."

Perhaps, but Prime Healthcare was ready when malware infected computer systems at Desert Valley Hospital, Chino Valley Medical Center and Alvarado Hospital Medical Center.

"Our IT department, in conjunction with our third party IT security consultant, were able to quickly identify the intrusion and implement policies and procedures already in place to contain the disruption," said spokeswoman Elizabeth Nikels in a prepared statement..

As part of these procedures, some systems at several other Prime Healthcare hospitals were brought offline for preventive maintenance, but those systems were quickly brought back up without compromising patient safety or patient or employee data, she added. 

Twitter: @HealthITNews

Like Healthcare IT News on Facebook and LinkedIn