The actions taken by an organization in the days, weeks, and months after a security breach can mean the difference between recovery and organizational failure—whether the breach is a result of criminal activity or "good people doing stupid things."
Three words healthcare executives dread hearing—"we've been hacked"—are reverberating in hospitals, health systems and physicians groups with growing frequency.
Larry Ponemon, PhD |
Just last week, Boston-based Partners Healthcare notified 3,300 patients that some information including names, addresses, dates of birth, telephone numbers and Social Security numbers and clinical information had been leaked to hackers. In February, the country's largest insurance company, Anthem, announced that 80 million member and employee records had been breached.
Most organizations will experience a data breach at some point, says Elizabeth Hodge, of counsel at Akerman LLP, a lawyer representing a variety of healthcare organizations in compliance-related matters from her firm's West Palm Beach office.
"If you are a healthcare entity, you should anticipate that you will have breach of unsecured health information at some point," she says.
The Ponemon Institute, a data security research and consulting firm, found in its annual benchmark study that healthcare providers experience frequent data breaches involving the loss, even the theft, of patient health information.
About 90% of healthcare organizations were found to have had a data breach within the last 24 months. "These are not like Anthem," says Larry Ponemon, PhD, the firm's founder and chairman. "We're talking, 10, 20, maybe 100 individual records [involved]." While the numbers of patients who have had personal data leaked might not be as high as a massive breach like Anthem's, the implications for those people are no less troubling.
Social security numbers, credit card information, and other private data is valuable. But the "crown jewel" for a data thief, Ponemon says, is a full medical record, which can fetch a criminal as much as $250.
Frequently, the information is used to impersonate the victim or set up a fake identity. A full chart with headers contains personal data, payment information, and often social security numbers which can be used to obtain medical treatment.
"This kind of crime is on the rise. These criminals use medical credentials to get healthcare and pharmaceutical products. We've seen them get cosmetic surgery, scooters, all kinds of treatments," he says.
Organizations are often taken by surprise. "A lot of providers are unable to know with precision whether they've had data breach, or if data has been lost or stolen," Ponemon says. While some breaches are due to malicious intent, data is often lost due to a glitch or error, which are unlikely to be reported.
And even when IT or security is aware of a breach, the news doesn't always make its way up the ranks to the organization's leadership.
Be Prepared
Dealing with a data breach really starts by being prepared for it, says Hodge.
"Before the breach ever happens, from a legal and good business planning perspective, you should anticipate that you will have a breach of unsecured health information at some point in your business' life," she says.
Elizabeth Hodge |
Decide ahead of time who will be responsible for handling each process and have a plan in place. Hodge suggests that all stakeholders across the organization be involved. "You want the head of the IT department involved… if you have a security officer, you want that person involved, too," she says. Any in-house counsel will need to work on this issue as well, and likely the hospital CEO.
Insurance may help defray the costs of responding to a breach, but as the Department of Homeland Security confirms, the cybersecurity insurance market is young and confusion about policy costs and coverage is abundant.
Communicate Carefully
According to HIPAA regulations, organizations have 60 days from date of discovery of the breach to provide notice to patients that their data has been compromised. "There is an exception for situations where law enforcement has requested a delay in notifying patients beyond that window," Hodge adds, although those are fairly rare.
While regulations vary state by state, most require patients to be notified in writing, via US mail. "If there is an emergency situation, you can provide notification via alternate means, such as telephone, but follow up in writing," suggests Hodge.
Publicly announcing that there has been a breach can inadvertently make the situation worse if it is done too soon. One consequence of announcing a malicious breach prematurely is that it can alert the criminals that they have been discovered, which can foil any opportunity to properly investigate or track them down.
And an announcement made before the extent of the breach is known can discredit an organization. "What you don't want is to say on Monday, 'We've experienced a data breach of 30,000 medical records,' then, on Tuesday, come out and say, 'we were wrong, it was one million records'—only to come out a week later and say it was actually 27 million," says Ponemon.
Hodge also warns against speculation when talking to outside parties, whether they be the media, patients, or anyone else, which can be difficult when confronted with tough or angry questions without apparent answers. "I would say that we need to be truthful and communicate what we know," she says.
Showing real concern for those impacted is important, however. "Communicate that you take such incidents seriously. Describe efforts that you and your organization are taking to fix the situation," she urges.
Also, Hodge advises not to give too much detail regarding measures the organization takes to protect against future breaches, as that might put the electronic data in even further trouble.
Damage Control
Once the public has been made aware of a breach, the next step is to focus on repairing relationships with customers (patients). In the past it may have been considered a bad idea from a legal perspective to apologize for a data breach, but that is no longer the case.
"There are ways to apologize that someone's info was accessed without accepting blame," Hodge says. "Maybe you can't escape that perhaps your employee did something they should not do, but I think that in most notice letters I've seen, the entity does make an attempt to express regret for the incident."
She believes that refusing to express regret rather than issuing a simple apology is more likely to inspire customer outrage or a potential lawsuit.
Ponemon's research suggest she is correct, finding that 43% of customers will return to an organization that leaked their information if they receive a heartfelt apology. Additionally, Ponemon and Hodge both suggest offering impacted patients free credit monitoring services and legal assistance should they become victims of identity theft as a result of a breach.
Despite portrayals in film and TV, the majority of breaches are not easily traced within hours. It can take weeks or months to determine the source of a leak, and the full extent of the damage. It's also possible there will be unpleasant surprises once the source comes to light.
"It's one thing if the records were infiltrated by an outside actor, but it's different if one's own employees may have been improperly accessing records internally," says Hodge.
As many as 75% of data breaches are estimated to be "inside jobs," although many are not intentional. "As more organizations are relying on non-expert IT people, these situations are becoming more prevalent," says Ponemon. "A lot of these incidents are just good people doing stupid things."
Lena J. Weiner is an associate editor at HealthLeaders Media.