Third-Party Risk Management Strategies for Data BreachesHow to Defend Against Cyberattacks in Healthcare Organizations
The Blackbaud breach of 2020 was listed by HIPAA Journal as one of the largest healthcare data breaches of all time. Blackbaud, a large technology company, discovered a ransomware attack in May 2020. To make matters worse, the actual breach happened in February and wasn’t discovered by Blackbaud until months later. As of January 2021, more than six dozen healthcare organizations had shared that they’d been affected and over 8 million healthcare records had potentially been compromised.
Hackers can strike any industry, but there has been an alarming increase in targeted and successful cyberattacks in healthcare. According to data from the Department of Health and Human Services, there has been an 84% increase in data breaches against healthcare organizations from 2018 to 2021. Now, more than ever, it's essential that your healthcare organization is prepared and has strategies in place for managing data breaches. Remember, it is not a matter of if your security will be breached. Unfortunately, it's a matter of when.
7 Strategies for Managing Data Breaches
It's happened. You've experienced a data breach, or maybe one of your third parties has been the victim of one. What should you do next?
You can reduce the impact on your organization and your patients by doing the following:
- Follow your remediation policy. An effective remediation policy addresses data breaches quickly as well as effectively communicates with patients. Be sure to follow your notification policy for patients as well.
- Be transparent. Even though admitting a breach is never enjoyable, putting off the inevitable will lead to more mistrust and damage to your reputation.
- To continue to keep patient trust, offer credit monitoring services. A data breach containing nonpublic personal information - NPPI - or protected health information - PHI - may ultimately increase individuals' risk of identity theft.
- Implement more vigorous user authentication procedures. This is especially important if patients have access to online tools.
- Perform a root cause analysis and enhance security controls. By studying this breach, you can create a stronger information security system and protocols going forward.
- Assess your overall information security processes. Document updates and provide employees with refresher training on topics such as how to spot a phishing email.
- If a third party caused the breach, make sure that they notified you on time. Make sure your contract language specifies the notification requirements for data breaches. Identify the consequence of a breach and outline what will happen afterward - for example, a more intensive audit, additional testing, etc.
Breaches can have costly consequences, including lower patient confidence, steep fines, and regulatory scrutiny. If there is a breach, don't let the damage escalate because you didn't follow up with the appropriate actions. Most importantly, take the initiative to learn from your mistakes. And make sure you have strategies in place to prevent the same events from occurring again. Keep documentation of how your organization handled a risk event to demonstrate proactive measures. Finally, make it a continuous practice to identify and assess new and emerging risks.
The truth is: No organization is immune from cyberattacks. But being proactive and having strategies in place to deal with the inevitable can lessen the potential occurrence, severity and impact of these events and protect your organization and its patients in the process.