Skip to main content


5 Steps to Take If Your Org Has a Data Breach

By Philip Betbeze  
   December 07, 2017

Also, don't succumb to the temptation of making a public relations statement about the data breach. If it was a mistake, just say so.

3. Conduct a more thorough assessment.

In a longer-term assessment, it's important to know what data has been breached. That's likely to mean a multiweek long project to really understand what happened, says Byers.

Even data management companies such as Formstack build systems that are intended to never be breached, but there could be a hole in the software code or a different kind of accident, Byers says.  

"One of the most effective things we use is penetration testing," he says.

That's effectively paying for high-end developers and engineers to break into your system. Those will open the clearest paths to vulnerabilities in the system.

4. Communicate again with customers.

This is where you clearly explain the results of your longer-term investigation, Byers says. That way, you can better communicate what you're going to change going forward to make your data more secure.

Contrary to popular belief, data breaches are usually the result of paper interaction, he says. Medical paperwork could get lost or misplaced. Moving information exclusively to electronic systems can better defend against a breach, ironically.

"People are concerned about malware, but it's still the least used way to steal data," Byers says." A small physician office or medium hospital system is much less likely to be victim of cyberattack."

Email is the second-most likely culprit, including phishing schemes for W-2 information, for example. The most valuable investment healthcare organizations can make in preventing data theft is to store it from creation in an authenticated system.

"Once you log in, the user can be audited in the future, and you can see what they've done," he says. "With user authentication and encryption, the likelihood of someone breaking into that goes way down."

5. Change your processes.

The final step after a breach, of course, includes making changes to your internal processes so it doesn't happen again.

"The big problem we're experiencing in healthcare is that the government helps fund EMRs, but the bad news is that it's about getting your records into place, not that they're secured," Byers says. "It's much more about moving the healthcare world into electronic systems."

Only about 20% of healthcare organizations have a real chance of being breached, Byers says, but it's often impossible to know whether your organization is in that 20% because so many variables contribute to a breach.

"It's such an enormous responsibility that you have to be doing all the work to make sure you handle it right," he says. "You should be concerned at an 80% level that someone's going to try to break into your system."

Philip Betbeze is the senior leadership editor at HealthLeaders.

Get the latest on healthcare leadership in your inbox.