Breach response tips from experts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/HIPAA-breach-response-tips-experts

Some 90 percent of healthcare organizations have reported at least one data
breach in the past two years, with more than a third seeing more than five
breaches. Responding to these breaches in the proper manner proves integral
not only to reining in costs and avoiding litigation but also to
maintaining the integrity of the organization.

Gerry Hinkley, partner at Pillsbury Winthrop Shaw Pittman's healthcare
practice, says breach response is where many make major missteps, mistakes
that can easily be avoided.

Hinkley, who spoke at the HIMSS Media and Healthcare IT News Privacy and
Security Forum June 16 in San Diego, works with myriad organizations on
proper breach response, many of which have faced legal action due to
post-breach slip-ups on their part. One of the biggest takeaways? "Don't
give in to individuals who want to sugar coat this," he said. "You do much
better really saying what happened up front ... individuals respect that."

First, in preparing for a HIPAA breach, organizations should engage their
risk management department and look into purchasing cyber insurance, said
Hinkley. But know what's in the insurance policy, as many of the cyber
insurance policies are services agreements with pre-selected approaches to
deal with breaches and subsequent notification. "You need to be very
careful in what you buy," he added.

Next, an organization should employ a centrally-managed platform used to
detect and prevent unauthorized use and transmission of data. Then it's a
matter of performing a rolling risk assessment, with continual security
improvements.

Hinkley continued: Make sure you train and authenticate personnel. He
advocated against the use of online-based training exercises. "My
recommendation is that you have much more job specific HIPAA incidence
training," he said, as they typically prove to be more effective in the
long run. One of the cases Hinkley is currently working on involves a
healthcare employee who emailed patient information to his home computer.
He was a well-intentioned individual, he said, but the training he had
received? An online module.

Hinkley also noted the employee training should be robust. "Not everybody
who needs to be trained is getting training," he said.

After the training piece, a healthcare organization should authorize and
limit applications. Policies regarding notification, mitigation and
reporting also need to be squared away, published and distributed.

So what if a group does all this, and a breach still occurs?

Kick off an internal report, where upstream reporting proves critical,
explained Hinkley. Breach notification should go all the way up the
organization's chart to the CEO before HHS and the press are notified.

And although covered entities and business associates have 60 days to
report the breach to HHS and the press, Hinkley advised they don't take
that long. The sooner the better. "Don't use the 60 days to your advantage,
because it's the end zone," he said. If groups wait until the last minute,
that trust level also goes significantly down.

Immediately following the breach, passwords and authorizations should be
changed, and all the evidence should be preserved, he pointed out.
Involving legal counsel to enable the attorney-client privilege can also
prove beneficial.

Next, it's about remediation.

"What we advise whatever the plan is, it should engender trust in your
organization that you're doing the right thing," said Hinkley. "You can
really put a lid on subsequent enforcement and litigation risk if you're
very up front; you're apologetic; you're very clear on what the
consequences are and you provide remedies that are well-tied to what the
actual risks are that are presented to the individual."

Part of that includes implementing a 24/7 line available to those affected,
and providing but not requiring credit monitoring for affected patients.

Then, it's a matter of training, again. If the breach involved an employee
who violated a policy or procedure, discipline is the way to go, said
Hinkley. It's harsh but very much necessary. "You can't put yourself in
that position where somebody says, 'well gee, this is important, but it's
not so important that my job could be compromised, or I could be
disciplined in some way,'" he said. "Individuals who act out need to be
dealt with," which includes those employees who act in "reckless disregard"
for an organization's policies.

Michael Allred, information security consultant and identity and access
team manager at Intermountain, who also spoke at the forum, agreed.
 Allred recalled a conversation he had with his chief information officer,
who very seriously told him: "If we have a data security breach, someone's
going to lose their job." That's just the nature of the game nowadays.

The big takeaway? Accountability, said Hinkley. It really does wonders for
reducing subsequent enforcement and litigation risks. Affected victims of
the data breach believe their healthcare organization has "let them down,"
he added. "It's more than you felt like Target let you down or Neiman
Marcus let you down when your records may have been compromised," he
explained, "because it's someone they trust for medical decisions."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!