Senior healthcare leaders must formulate an action plan for addressing a data breach at their organizations. Knowing how to deal with one could help limit the damage.
With the news out of Michigan this week that the data of 20,000 patients has been compromised because of a breach, it is wise for healthcare leaders to proactively prevent their organizations from becoming part of the misery.
But if you do experience a data breach, it is your responsibility to respond quickly and fully, executing your action plan. Here are the five steps your action plan should include:
1. Determine what happened.
Many organizations have had a data breach and don't even know about it, so finding evidence of the breach is only the first part of figuring out how it happened, says Chris Byers, CEO of Formstack, an Indianapolis-based company that helps companies, including hospitals and physician offices, manage and capture data about their customers. Its healthcare clients typically use its services to acquire data through electronic medical forms.
Most data breaches are born out of personal error, he says, whether through misplacing or losing paper forms or through insecure email communication.
"Plenty of times you have no clue about the original cause as to why data got out, and you only have about a day to figure out what you can learn before addressing the issue publicly," says Byers.
Even if it's an explanation about how you're seeking answers, you need to explain how you think you were breached.
2. Notify the public.
This can be difficult to do when you're still not completely sure what happened short term, but you should notify those whose data may have been compromised, says Byers.
"What happened isn't enough. You want to communicate immediately with customers or patients, and do it quickly and genuinely," he says.
"One of the things most of us do when we go into a practice or hospital is we sign the HIPAA policy," says Byers. "The hospital system should implement some sort of alert in their portal to ensure they're capturing patient email addresses to make sure you can communicate with them."
Also, don't succumb to the temptation of making a public relations statement about the data breach. If it was a mistake, just say so.
3. Conduct a more thorough assessment.
In a longer-term assessment, it's important to know what data has been breached. That's likely to mean a multiweek long project to really understand what happened, says Byers.
Even data management companies such as Formstack build systems that are intended to never be breached, but there could be a hole in the software code or a different kind of accident, Byers says.
"One of the most effective things we use is penetration testing," he says.
That's effectively paying for high-end developers and engineers to break into your system. Those will open the clearest paths to vulnerabilities in the system.
4. Communicate again with customers.
This is where you clearly explain the results of your longer-term investigation, Byers says. That way, you can better communicate what you're going to change going forward to make your data more secure.
Contrary to popular belief, data breaches are usually the result of paper interaction, he says. Medical paperwork could get lost or misplaced. Moving information exclusively to electronic systems can better defend against a breach, ironically.
"People are concerned about malware, but it's still the least used way to steal data," Byers says." A small physician office or medium hospital system is much less likely to be victim of cyberattack."
Email is the second-most likely culprit, including phishing schemes for W-2 information, for example. The most valuable investment healthcare organizations can make in preventing data theft is to store it from creation in an authenticated system.
"Once you log in, the user can be audited in the future, and you can see what they've done," he says. "With user authentication and encryption, the likelihood of someone breaking into that goes way down."
5. Change your processes.
The final step after a breach, of course, includes making changes to your internal processes so it doesn't happen again.
"The big problem we're experiencing in healthcare is that the government helps fund EMRs, but the bad news is that it's about getting your records into place, not that they're secured," Byers says. "It's much more about moving the healthcare world into electronic systems."
Only about 20% of healthcare organizations have a real chance of being breached, Byers says, but it's often impossible to know whether your organization is in that 20% because so many variables contribute to a breach.
"It's such an enormous responsibility that you have to be doing all the work to make sure you handle it right," he says. "You should be concerned at an 80% level that someone's going to try to break into your system."
Philip Betbeze is the senior leadership editor at HealthLeaders.