Best practices: breach response

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/best-practices-breach-response

Some 90 percent of healthcare organizations have reported at least one data
breach in the past two years, with more than a third seeing more than five
breaches. Responding to these breaches in the proper manner proves integral
not only to reining in costs and avoiding litigation but also to
maintaining the integrity of the organization.

Gerry Hinkley, partner at Pillsbury Winthrop Shaw Pittman's healthcare
practice, says breach response is an area where many make major missteps,
mistakes that can easily be avoided.

Hinkley, who spoke at the June HIMSS
<http://www.healthcareitnews.com/directory/healthcare-information-and-management-systems-society-himss>
Media
and *Healthcare IT News* Privacy and Security Forum in San Diego, works
with myriad organizations on proper breach response. Many of them have
faced legal action due to post-breach slip-ups on their part.

One of the biggest takeaways? "Don't give in to individuals who want to
sugar coat this," he said. "You do much better really saying what happened
up front ... individuals respect that."

First, in preparing for a potential HIPAA breach, organizations should
engage their risk management department and look into purchasing cyber
insurance, said Hinkley. But know what's in the insurance policy, as many
cyber insurance policies are services agreements with pre-selected
approaches to deal with breaches and subsequent notification.

"You need to be very careful in what you buy," said Hinkley.

Next, an organization should employ a centrally managed platform used to
detect and prevent unauthorized use and transmission of data. Then it's a
matter of performing a rolling risk assessment, with continual security
improvements.

Make sure you train and authenticate personnel, said Hinkley, who advocated
against the use of online-based training exercises.

"My recommendation is that you have much more job specific HIPAA incidence
training," he said, as they typically prove to be more effective in the
long run.

One of the cases Hinkley is currently working on involves a healthcare
employee who emailed patient information to his home computer. This was a
well-intentioned individual, he said, but one who'd only received training
from an online module.

Hinkley said employee training should be much more robust. "Not everybody
who needs to be trained is getting training," he said.

After the training piece, a healthcare organization should authorize and
limit applications. Policies regarding notification, mitigation and
reporting also need to be squared away, published and distributed.

So what if a group does all this, and a breach still occurs?

Kick off an internal report, where upstream reporting proves critical,
explained Hinkley. Breach notification should go all the way up the
organization's chart to the CEO before HHS
<http://www.healthcareitnews.com/directory/department-health-human-services-hhs>
and
the press are notified.

And although covered entities and business associates have 60 days to
report the breach to HHS and the press, Hinkley advised they don't take
that long. The sooner the better. "Don't use the 60 days to your advantage,
because it's the end zone," he said. If groups wait until the last minute,
that trust level also goes significantly down.

Immediately following the breach, passwords and authorizations should be
changed, and all the evidence should be preserved, he pointed out.
Involving legal counsel to enable the attorney-client privilege can also
prove beneficial.

Next, it's about remediation.

"What we advise whatever the plan is, it should engender trust in your
organization that you're doing the right thing," said Hinkley. "You can
really put a lid on subsequent enforcement and litigation risk if you're
very up front; you're apologetic; you're very clear on what the
consequences are and you provide remedies that are well-tied to what the
actual risks are that are presented to the individual."

Part of that includes implementing a 24/7 line available to those affected,
and providing but not requiring credit monitoring for affected patients.

Then, it's a matter of training, again. If the breach involved an employee
who violated a policy or procedure, discipline is the way to go, said
Hinkley. It's harsh but very much necessary.

"You can't put yourself in that position where somebody says, 'Well, gee,
this is important, but it's not so important that my job could be
compromised, or I could be disciplined in some way,'" he said. "Individuals
who act out need to be dealt with," which includes those employees who act
in "reckless disregard" for an organization's policies.

Michael Allred, information security consultant and identity and access
team manager at Intermountain, who also spoke at the forum, agreed. He
recalled a conversation he had with his chief information officer, who very
seriously told him: "If we have a data security breach, someone's going to
lose their job." That's just the nature of the game nowadays.

The big takeaway? Accountability, said Hinkley. It really does wonders for
reducing subsequent enforcement and litigation risks.

Affected victims of a data breach believe their healthcare organization has
"let them down," he said. "It's more than (if) you felt like Target let you
down, or Neiman Marcus let you down, when your records may have been
compromised," he explained, "because it's someone they trust for medical
decisions."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!