Healthcare , Incident & Breach Response , Industry Specific

How to Improve Health Data Breach Response Planning

Experts Offer Tips for Ironing Out Common Kinks in Incident Response
How to Improve Health Data Breach Response Planning
Responding to health data security incidents and breaches takes thorough planning and a lot of practice, experts say. (Image: Getty)

You'd think that by now, the healthcare sector would have plenty of experience in responding to data breaches, considering the hundreds of protected health information compromises that get reported annually to regulators - not to mention the record number of health data breaches reported in just the last year alone. But unfortunately, when security leaders are dealing with an incident, response plans can go awry.

See Also: Offensive Security: Lose That Loser's Mindset

That includes underestimating and improperly preparing the internal and external parties that will play critical roles in the response - such as containing and investigating the incident, determining whether protected health information was compromised, notifying affected individuals and conducting regulatory reporting - and all the many other tasks in between.

"Some of the top mistakes healthcare organizations make in crafting data breach response plans is not having a good understanding of how all the key stakeholders will participate or contribute to include third-party vendors," said Dave Bailey, vice president at consulting firm Clearwater. "A major contributing factor is not having an up-to-date business impact analysis."

The best way to ensure a response plan will minimize the impact of a cyber incident is to exercise and validate the plan, he said. "Regular practice and rehearsing of incident response is a key component to achieve resiliency. Having a plan to achieve resilience can make reporting and compliance requirements easier and timely," he said.

Security incidents that tend to be the most difficult for healthcare organizations to respond to are those where system disruption or denial of service is accompanied with data exfiltration and extortion, Bailey said. "Lengthy downtimes and strain on limited staff and resources is daunting."

Besides potential compromises to patient data, the healthcare and public health sector faces an array of other issues, including patient safety and clinical care concerns in incidents where IT systems are disrupted by ransomware and similar attacks. "We have witnessed local and regional impacts to surrounding hospitals where the affected hospital is unable to care for patients and those patients are directed elsewhere," Ron Pelletier, founder and chief customer officer of security firm Pondurance, said.

Regional preparedness and response to regional incidents that could affect neighboring organizations is also important.

Entities should conduct regular training such as incident response drills and exercises, said Jon Moore, chief risk officer at Clearwater.

"These drills should include participation by all stakeholders who are likely to be involved in a response, including senior leaders, legal and public relations representatives, along with IT, security and privacy teams. If third parties are likely to be involved in the response, they should be asked to participate as well," he said.

Reporting Considerations

Once the immediate impact of the incident settles, it is crucial to conduct a thorough investigation into the whether a breach of PHI occurred. It's bad enough to have a major health data breach affecting hundreds, thousands or even millions of individuals. But poor handling of the situation can make matters worse, including delayed notification and reporting.

Under the HIPAA breach notification rule, covered entities must notify individuals whose PHI is compromised within 60 days of the discovery of a breach. Some state have even shorter notification mandates. But as many class action lawsuits filed in the aftermath of large breaches spotlight, those notification deadlines are frequently missed, potentially compounding the potential risks - such as ID theft and fraud - that affected individuals face.

"The timeliness of reporting is often an issue. Sometimes this is the result of struggling to get the information for effective reporting. Sometimes it is the result of negligence on the part of the organization," Moore said.

"On the flip side, in their haste to meet reporting requirements, organizations often report information that proves to be inaccurate or incomplete. They then must update their reports, which can cause issues around trust in the organization both by the regulator and the public."

Healthcare sector entities need to think about their regulatory requirements not as a checklist but as a part of their risk management and security practice that needs to work together, said Dustin Hutchison, CISO and vice president of services at Pondurance.

"The threats to healthcare are evolving and while regulatory requirements change less rapidly, the ability to adhere to the requirements and have a dynamic security program will help protect systems and data," he said.

The ability to demonstrate compliance and security practices is important but especially after an incident, Hutchinson said. "Entities proactively sharing information can help protect others by helping with visibility and preparedness, and individuals affected by any incident should have confidence in how their data is protected - even when an incident occurs."

Healthcare entities should prioritize meeting regulatory requirements and executing effective communication strategies following data security incidents, Moore said. To achieve this, organizations should first understand relevant regulations and contractual obligations and develop a comprehensive incident response plan that outlines procedures for assessing, containing and mitigating incidents, he said.

"Assign clear roles and responsibilities to personnel involved in communication and response efforts."

Timely and transparent communication with affected individuals and the public is crucial. "Tailor communication to different audiences and offer support and resources to those impacted. Engage with regulators and authorities proactively throughout the process, cooperating fully with investigations and compliance requirements," Moore said.

After resolving the incident, he said, entities should conduct a thorough post-incident analysis to identify areas for improvement in communication strategies and incident response procedures.

"By following these steps, healthcare entities can effectively meet regulatory obligations, maintain trust and mitigate reputational damage in the aftermath of data security incidents," Moore said.

Advance Planning

As the old saying goes, it's not a matter of if an organizations will suffer a breach, it's a matter of when. So organizations must be ready for the inevitable, experts advise.

"Test and update your plan. Not once, not twice, but constantly," Pelletier said. Tabletop exercises are good to identify capabilities and weaknesses, he said.

"Be sure to involve top leadership in those exercises, as they will undoubtedly be called on to help with various aspects of response and crisis management and, most importantly, they will understand that incident response is a process and breaches are not quick-fix endeavors," he said.

"We've seen too many times where organizations did not involve executives in the testing of plans, only to have those executives alter the response based on how they think their company should proceed, putting the company further at risk."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.