The risk of a data breach to hospitals and health systems is on the rise, and has been for some time, evidenced in the frequency of data breach reports as well as numerous studies covering the healthcare industry's high susceptibility.
Unfortunately, it is health information technology that increases the industry's risk. While health IT can create efficiencies, eliminate waste and improve much-needed access to information, it also fosters new risks and threats, raising concern over the security and privacy of patient health information.
However, hospitals and providers can be active in strengthening their arsenal against threats to patient information. Here are 10 best practices that organizations can use when developing data breach prevention methods and incident response plans.
1. Convene a workgroup to research threats, vulnerabilities. When Henry Ford Health System in Detroit wanted to improves its data breach response, one of the first things it did was to convene a workgroup to guide its data breach response improvements. The group consisted of individuals from across the system with a compliance or privacy background. The HFHS workgroup reviewed HITECH regulations and documented recommended processes. That workgroup also researched other organizations to determine how to address HFHS' risk of harm.
"We looked at how we could determine if there was a risk of harm — the potential for exposure — to patients affected by a data breach. You also need that policy for the organization; what could its exposure be?" says Meredith Phillips, chief privacy officer for HFHS. "Then we came up with a process to document the risk assessment and outlined what HFHS' approach should be."
2. Discuss goals with leadership. Ms. Phillips recommends actively identifying and talking about the goals for the healthcare organization's data breach response with the executive leadership team.
"Just like there is a goal for any other initiative, there needs to be one for data breach responses. Is the goal for your organization to mitigate regulatory risk or class action litigation or to manage reputational risk and costs? If you can get an agreement on that upfront, you can make better decisions on how to respond," says Ms. Phillips.
3. Foster a culture of continuous improvement. Hospitals should work to foster a culture of continuous improvement so that new response mechanisms and tactics are always developed. New threats and vulnerabilities continue to emerge, so security responses should as well.
Seattle Children's Research, Hospital & Foundation has a culture of continuous improvement because its data breach response process is circular. According to Cris Ewell, PhD, chief information security officer for Seattle Children's, while the data breach response plan ends with recovery and remediation, the entire process ends with post-incident, leading the organization back to assessment and planning for future incidents. In a sense, the process for data breach response is never over.
"We are always thinking of how we can improve. We have a continual loop process so we even when we have responded to a potential incident and go into the remediate and recovery stage, we head back to step one to see what we can do better in the future," says Dr. Ewell.
4. Update policies and procedures to include mobile devices and cloud services. Some new threats to healthcare organizations include cloud computing and mobile devices. According to Rick Kam, president and co-founder of ID Experts, hospitals need to update policies and procedures to include risk mitigation strategies and tools to detect and protect information used and shared via mobile health and cloud services.
A recent study by the Ponemon Institute demonstrated the growing prevalence of mobile devices, especially the "bring your own device" trend, as well as a growing use of cloud systems among hospitals, despite rising security concerns.
"The amount of data breaches continues to increase. However, the lack of focus and resource allocation by executives to protect the information remains the same," says Mr. Kam.
5. Create clear, well-planned governance for response. Hospitals should have clear and well laid-out plans for their data breach response management so they have clear reporting structures and can handle any breaches holistically rather than departmentally.
According to Dr. Ewell, Seattle Children's strong governance is evidenced in its detailed plan, which includes six steps: preparation and planning, discovery and report, analyze and assess, response, recovery and remediate and post-incident. According to Dr. Ewell, the first step — preparation and planning — is his responsibility.
"I have to make sure all the planning and processes are in place. I work closely with privacy and compliance officers to make sure their programs feed into my program," said Dr. Ewell. "I also report to a board-level committee as well as to general counsel. Reporting to these high-level departments places the risk management program at a high level in the institution," says Dr. Ewell.
According to Mr. Kam, hospitals should also restructure their information security and privacy functions to introduce more accountability in reporting.
"A hospital's board decides what is important for governance and efficiency across the hospital. If reporting on security and privacy goes directly to the board, it will symbolize and reinforce commitment to data privacy and security," says Mr. Kam.
6. Operationalize pre-breach and post-breach processes. According to Mr. Kam, executives need to operationalize their breach responses by incorporating elements of an incident response plan into daily processes and business practices. "Even something as small as installing protection appliances into the network so someone is signaled when an employee sends healthcare data outside the network will be more effective," says Mr. Kam.
Many healthcare executives still view data breaches as catastrophic events rather than potentially daily occurrences, but not every data breach involves thousands of records. According to Mr. Kam, until executives start preparing for smaller data breaches by incorporating processes to catch small breaches, they will continue to be at risk
"[Executives] need to look at where the vector of risks is coming from. [Executives] really need to evaluate what is changing and put in the processes and procedures to help the hospital deal with this on daily basis," says Mr. Kam.
7. Ensure incident response plans cover third parties. In the past, it was important to have a response plan covering the hospital or health system, but now it is necessary that the plan covers business associates, partners and cyber insurance as well.
According to the Ponemon Institute, the breadth of data breaches is high as about 94 percent of hospitals have been affected. "Organizations are seeing this risk occur, but they are not changing how they deal with it," says Mr. Kam. "Hospitals share data with business associates and other organizations daily. It is those transactions that need to be secured. The incident response plan needs to account for those exchanges."
8. Test all plans against past data breaches. Ms. Phillips recommends testing any plan or program that is created against past data breaches to make sure the components of the plan address relevant issues.
"It is a great way to make sure everything is covered. In order to vet the approach, we applied the plan to previous breaches. We took a case load from two years prior and went through the exercise of applying the response plan to the previous incidences. We knew that we could base the effectiveness of our plan on our history," said Ms. Phillips.
9. Charter a rapid response team. Ms. Phillips and her team decided to create an immediate response team, which they call the Code B Alert Rapid Response Team to act as a first line of defense when a breach is reported internally or identified at HFHS.
"When someone calls thinking they lost something or that something was stolen, this team needs to make sure the breach actually occurred. Sometimes an incident is reported, but it is not a breach," says Ms. Phillips.
Individuals from each business unit as well as from the legal, information privacy and information security offices were chosen to form the team. Ms. Phillips stresses the importance of keeping the team centralized.
"We found that when we rolled out the Code B program, allowing each business unit to utilize a response team on their own was counterproductive. It's necessary to streamline the plan, keep it consistent and maintain the governance under one corporate entity," said Ms. Phillips.
10. Don't forget the communication plan. It is important that hospitals create a communication plan for internal and external actions following a data breach. The plan will aid in communicating the urgency of a data breach to employees — the importance of complying with organizational security and privacy policies — and notifying patients, media, state agencies and HHS' Office of Civil Rights of the breach.
According to Ms. Phillips, HFHS created a plan, which was consistently utilized throughout the system and managed corporately instead of at the business-unit level. The internal communication was branded with the name Code B — the same title used for the response program and team — so employees would instantly recognize a data breach had occurred. This aspect was aimed at preventing future issues with employee understanding.
While every healthcare organization is different and should tailor a data breach response plan to its needs, some of these best practices have drastically improved data breach preparedness and response times for Seattle Children's and HFHS. A hospital or health system looking for guidance could follow these tips to prepare a strong and effective data breach response.
7 Ways to Minimize Data Breach Costs
Study: 55% of Physicians Use EHRs, Majority Say It Enhances Care
Unfortunately, it is health information technology that increases the industry's risk. While health IT can create efficiencies, eliminate waste and improve much-needed access to information, it also fosters new risks and threats, raising concern over the security and privacy of patient health information.
However, hospitals and providers can be active in strengthening their arsenal against threats to patient information. Here are 10 best practices that organizations can use when developing data breach prevention methods and incident response plans.
1. Convene a workgroup to research threats, vulnerabilities. When Henry Ford Health System in Detroit wanted to improves its data breach response, one of the first things it did was to convene a workgroup to guide its data breach response improvements. The group consisted of individuals from across the system with a compliance or privacy background. The HFHS workgroup reviewed HITECH regulations and documented recommended processes. That workgroup also researched other organizations to determine how to address HFHS' risk of harm.
"We looked at how we could determine if there was a risk of harm — the potential for exposure — to patients affected by a data breach. You also need that policy for the organization; what could its exposure be?" says Meredith Phillips, chief privacy officer for HFHS. "Then we came up with a process to document the risk assessment and outlined what HFHS' approach should be."
2. Discuss goals with leadership. Ms. Phillips recommends actively identifying and talking about the goals for the healthcare organization's data breach response with the executive leadership team.
"Just like there is a goal for any other initiative, there needs to be one for data breach responses. Is the goal for your organization to mitigate regulatory risk or class action litigation or to manage reputational risk and costs? If you can get an agreement on that upfront, you can make better decisions on how to respond," says Ms. Phillips.
3. Foster a culture of continuous improvement. Hospitals should work to foster a culture of continuous improvement so that new response mechanisms and tactics are always developed. New threats and vulnerabilities continue to emerge, so security responses should as well.
Seattle Children's Research, Hospital & Foundation has a culture of continuous improvement because its data breach response process is circular. According to Cris Ewell, PhD, chief information security officer for Seattle Children's, while the data breach response plan ends with recovery and remediation, the entire process ends with post-incident, leading the organization back to assessment and planning for future incidents. In a sense, the process for data breach response is never over.
"We are always thinking of how we can improve. We have a continual loop process so we even when we have responded to a potential incident and go into the remediate and recovery stage, we head back to step one to see what we can do better in the future," says Dr. Ewell.
4. Update policies and procedures to include mobile devices and cloud services. Some new threats to healthcare organizations include cloud computing and mobile devices. According to Rick Kam, president and co-founder of ID Experts, hospitals need to update policies and procedures to include risk mitigation strategies and tools to detect and protect information used and shared via mobile health and cloud services.
A recent study by the Ponemon Institute demonstrated the growing prevalence of mobile devices, especially the "bring your own device" trend, as well as a growing use of cloud systems among hospitals, despite rising security concerns.
"The amount of data breaches continues to increase. However, the lack of focus and resource allocation by executives to protect the information remains the same," says Mr. Kam.
5. Create clear, well-planned governance for response. Hospitals should have clear and well laid-out plans for their data breach response management so they have clear reporting structures and can handle any breaches holistically rather than departmentally.
According to Dr. Ewell, Seattle Children's strong governance is evidenced in its detailed plan, which includes six steps: preparation and planning, discovery and report, analyze and assess, response, recovery and remediate and post-incident. According to Dr. Ewell, the first step — preparation and planning — is his responsibility.
"I have to make sure all the planning and processes are in place. I work closely with privacy and compliance officers to make sure their programs feed into my program," said Dr. Ewell. "I also report to a board-level committee as well as to general counsel. Reporting to these high-level departments places the risk management program at a high level in the institution," says Dr. Ewell.
According to Mr. Kam, hospitals should also restructure their information security and privacy functions to introduce more accountability in reporting.
"A hospital's board decides what is important for governance and efficiency across the hospital. If reporting on security and privacy goes directly to the board, it will symbolize and reinforce commitment to data privacy and security," says Mr. Kam.
6. Operationalize pre-breach and post-breach processes. According to Mr. Kam, executives need to operationalize their breach responses by incorporating elements of an incident response plan into daily processes and business practices. "Even something as small as installing protection appliances into the network so someone is signaled when an employee sends healthcare data outside the network will be more effective," says Mr. Kam.
Many healthcare executives still view data breaches as catastrophic events rather than potentially daily occurrences, but not every data breach involves thousands of records. According to Mr. Kam, until executives start preparing for smaller data breaches by incorporating processes to catch small breaches, they will continue to be at risk
"[Executives] need to look at where the vector of risks is coming from. [Executives] really need to evaluate what is changing and put in the processes and procedures to help the hospital deal with this on daily basis," says Mr. Kam.
7. Ensure incident response plans cover third parties. In the past, it was important to have a response plan covering the hospital or health system, but now it is necessary that the plan covers business associates, partners and cyber insurance as well.
According to the Ponemon Institute, the breadth of data breaches is high as about 94 percent of hospitals have been affected. "Organizations are seeing this risk occur, but they are not changing how they deal with it," says Mr. Kam. "Hospitals share data with business associates and other organizations daily. It is those transactions that need to be secured. The incident response plan needs to account for those exchanges."
8. Test all plans against past data breaches. Ms. Phillips recommends testing any plan or program that is created against past data breaches to make sure the components of the plan address relevant issues.
"It is a great way to make sure everything is covered. In order to vet the approach, we applied the plan to previous breaches. We took a case load from two years prior and went through the exercise of applying the response plan to the previous incidences. We knew that we could base the effectiveness of our plan on our history," said Ms. Phillips.
9. Charter a rapid response team. Ms. Phillips and her team decided to create an immediate response team, which they call the Code B Alert Rapid Response Team to act as a first line of defense when a breach is reported internally or identified at HFHS.
"When someone calls thinking they lost something or that something was stolen, this team needs to make sure the breach actually occurred. Sometimes an incident is reported, but it is not a breach," says Ms. Phillips.
Individuals from each business unit as well as from the legal, information privacy and information security offices were chosen to form the team. Ms. Phillips stresses the importance of keeping the team centralized.
"We found that when we rolled out the Code B program, allowing each business unit to utilize a response team on their own was counterproductive. It's necessary to streamline the plan, keep it consistent and maintain the governance under one corporate entity," said Ms. Phillips.
10. Don't forget the communication plan. It is important that hospitals create a communication plan for internal and external actions following a data breach. The plan will aid in communicating the urgency of a data breach to employees — the importance of complying with organizational security and privacy policies — and notifying patients, media, state agencies and HHS' Office of Civil Rights of the breach.
According to Ms. Phillips, HFHS created a plan, which was consistently utilized throughout the system and managed corporately instead of at the business-unit level. The internal communication was branded with the name Code B — the same title used for the response program and team — so employees would instantly recognize a data breach had occurred. This aspect was aimed at preventing future issues with employee understanding.
While every healthcare organization is different and should tailor a data breach response plan to its needs, some of these best practices have drastically improved data breach preparedness and response times for Seattle Children's and HFHS. A hospital or health system looking for guidance could follow these tips to prepare a strong and effective data breach response.
More Articles on Data Breach Prevention:
4 Recommendations to Fight Rising Prevalence, Cost of Hospital Data Breaches7 Ways to Minimize Data Breach Costs
Study: 55% of Physicians Use EHRs, Majority Say It Enhances Care