Navigating a data breach: Balancing legal and communications hurdles

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/navigating-a-data-breach-balancing-legal-and-communications-hurdles.html

A data breach in healthcare is like no other. When a health system fails to
safeguard patient data, the breach goes beyond the personal financial
information typically compromised when a retail chain fails to protect its
customers' credit card numbers. Hospitals and other providers, after all,
must keep safe very personal and sensitive information — information about
our health. Providers uniquely depend on the trust of their patients —
trust that, once broken, can be hard to mend.

Imagine that a health system with multiple locations learns two unencrypted
laptops — containing protected health information for about 50,000 patients
— have been stolen from its central billing office. The system must act
quickly yet thoroughly to navigate the communications and legal challenges
of the breach.

Planning to be successful
Before anything else, the health system must get organized. Ideally, the
health system has a data breach incident response process that will
facilitate prompt discovery of the incident and coordinate how the health
system investigates the incident, mitigates harm and complies with all
regulatory obligations. The health system also will benefit if it has a
crisis communications plan already in place. This plan is the starting
point for communications leaders when any type of crisis hits, such as a
mass-casualty accident on a nearby interstate highway, an on-campus
incident or a reputational crisis such as a breach of PHI. Having a plan in
place ensures that the logistics of crisis communications — where to
conduct news conferences, how to ensure continuity of communications in a
disaster, who handles what in a crisis — are thought out in advance.

At the core of a data breach response is an incident response team. With
representatives from communications, operations, compliance and legal, the
incident response team should meet regularly throughout the life of the
incident. Initially, this may require daily (or more frequent) meetings to
stay tightly coordinated and to enable a timely response. Later, the
meetings may become semi-weekly or weekly as needed.

Actions following discovery of the incident
Once the incident is discovered, the team will need to focus immediately on
stopping further non-permissible uses or disclosures (if possible) and
gathering the facts, possibly in conjunction with a forensics data analysis
firm. This will uncover answers to key questions: What kind of data was
involved? Was the data encrypted? Did it include Social Security numbers?
Have the laptops been recovered? Can they be wiped remotely? Where do
affected individuals reside? The facts will determine federal and state
reporting requirements.

Understanding all of the applicable state law requirements can be a
challenge, given that over 40 states have breach notification laws that
vary in their requirements and are subject to frequent change. At the
federal level, the HIPAA breach notification rules now presume a
non-permitted use or disclosure of unsecure PHI is a breach. The burden
will be on the health system to establish that the incident involved a low
risk of compromise to the PHI by performing a risk assessment. In the case
of stolen laptops, if the laptops are unencrypted, overcoming the breach
presumption will be difficult (unless the laptops are recovered and a
forensic analysis supports that data on the laptops was not accessed).

After completing this fact-gathering and analysis, legal should give an
overview report to the incident response team. The facts and the reporting
requirements provide the framework for how the health system will need to
respond to the situation, from both legal and communications perspectives.

In some scenarios, the health system might not be legally required to
report the incident, if the facts demonstrate the incident is not a breach
under HIPAA and does not implicate any state laws. But the team should also
consider the damage the system's reputation could sustain from the
situation. If news of the incident leaks — and it quite possibly will — the
health system should consider how a patient would feel upon learning about
the incident in the morning paper and whether government regulators (as
well as the public) will agree with the health system's determination that
no breach occurred. The health system must carefully weigh its risk
tolerance and comfort level with its analysis. For example, if the health
system's forensic analysis demonstrates that the data on the laptops was
not accessed, the health system will need a clearly drafted report from the
analysts and may need an outside expert's confirmation, if the analysis was
performed by an in-house information technology department.

Truth and timeliness
Once the health system determines the incident requires notifications under
HIPAA, state laws or both, the health system must move quickly to provide
all required notifications. Given the size of this incident in the example,
the health system will be required by HIPAA to notify the media and the
Office for Civil Rights at the same time that it notifies affected
individuals. It is unlikely that it will have up-to-date contact
information for all affected individuals, so it should plan to provide
substitute notice consistent with HIPAA and all state requirements.

In tandem with the rest of the data incident team and consistent with
applicable reporting requirements, communications will develop an
overarching communications plan that identifies communication vehicles,
audiences and timeline, and a set of core messages. Communicating a breach
requires action that is both quick and accurate. While patients need to
hear about the breach from the health system itself, truth should not be
sacrificed for timeliness. Reviewing communications with the rest of the
crisis team will ensure their accuracy. All communications should be
thoroughly vetted by legal and operations.

Transparency is key in all communications about the breach. Of course, not
all details about the breach can or should be shared. Further, there is a
fine line between acknowledging the mistake and dwelling on the past. The
system must communicate to its affected patients (and other audiences) what
steps it is taking to remedy the situation and, more importantly, how it
will prevent such a breach in the future.

Open a dialogue
Given the deeply personal nature of health information, it is critical that
the health system ensure a two-way dialogue. Affected patients likely will
have many questions and need an avenue to connect with the health system.
HIPAA and state law obligations will require providing affected patients
with contact procedures to use to ask questions and learn additional
information, such as a toll-free telephone number. Some health systems have
set up a dedicated page on their websites for this purpose, with all the
important information patients need and a contact form or dedicated email
address for submitting questions.

The communications team should anticipate these concerns and have a set of
frequently asked questions with corresponding answers. Whether in-house or
at a vendor call center, the health system must leave enough time before
issuing communications to make sure the representatives fielding patient
questions are knowledgeable enough to speak confidently about the
situation. Quickly training call center staff on a script is important to
avoid delays in providing required notifications. Identifying a call center
vendor should be part of advance planning for any crisis communications
situation.

The health system's employees will also need to be equipped to respond to
patient questions. The crisis team should plan an internal roll-out to
ensure a consistent message is shared with employees, as well as guide them
on how to answer patient questions. Individual hospitals and ambulatory
sites will need their own communications toolkit, including talking points
and FAQs.

If the communications plan calls for a news conference, the team should
choose and train one or more media representatives (media training of key
executives is another best practice as part of crisis communications
planning.) Legal will offer clear guidelines about what to say, while
communications provides training on how to deliver the messaging and
interview tips to stay on message under questioning.

Look for recovery opportunities
After the communications plan has been executed, the work is not over. The
health system must quickly confirm that it has implemented necessary
corrective actions to avoid future incidents and be prepared for regulatory
scrutiny. The system could be investigated by not only OCR, but also state
attorneys general (for all states in which affected patients reside), state
licensure agencies and the Federal Trade Commission. It also may receive
scrutiny from third-party payers. Class actions brought on behalf of
affected patients are becoming increasingly common. The incident team will
need to hold periodic check-in meetings to evaluate responses received in
response to the notices it has provided, the status of its mitigation and
corrective actions and to confirm it is prepared for investigations or
possible litigation.

At times when dealing with a crisis and the necessary focus on providing
required notifications quickly, documentation of what happened and what was
done can become disorganized. It is possible that the health system will
receive requests for supporting documents from OCR or other regulators
months after the incident, when memories have started to fade and key
personnel may no longer be with the organization. Thus, once the initial
crisis has passed, it is a good practice to gather internal reports and
notes, confirm that key steps and conclusions have been clearly documented,
and ensure the documentation can be easily located when needed in the
future.

If positive developments warrant, the team may consider updating important
audiences on progress that has been made, such as the apprehension of
criminals accused of stealing the laptops. Continuing to communicate to key
audiences beyond the initial announcement will help the health system make
this a short-lived crisis and mitigate damage.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!