Reader TTS

Are You Prepared for a Healthcare Data Breach?—With over 100 million patient records already compromised, the odds of your practice or hospital escaping are not in your favor. Prepare for

this possibility before it happens.

By Paul CerratoReviewed by Mac McMillan, FHIMSS, CISM, Co-Founder and CEO, CynergisTek, Inc.; Chair, HIMSS Privacy & Security Policy Task Force

If a foreign enemy wanted to invade the U.S., they might do so through a port city like New York or San Francisco. But if they wanted to launch a cyberattack, they would likely go through a

common service provider such as an ISP, a compromised computer or network connection, or an unsuspecting or inattentive user—in other words, taking advantage of a virtual port.

Bottom LineIf unsecured protected health information has been leaked, the federal government says you must notify the affected individuals, the Department of Health and Human Services, and,

in certain circumstances, the media.Notifying the press will likely bring closer scrutiny, along with the risk of class-action lawsuits and a damaged reputation.For a breach affecting more

than 500 people, you have only 2 months to give notice, during which time you’ll likely need to hire an attorney, a forensic computer specialist, and a public relations firm.

Criminals with physical access to your computers could use a USB port to steal patient data. Failing that, they might try to sneak in through a virtual port in your computer network. In

either case, HIPAA requires clinicians to put security measures in place to protect against these types of attacks. But while a great deal has been written about preventing such breaches,

few providers think about how to manage a data breach once it occurs.

Before making any decisions, you need to understand what’s required of you if your patients’ personal or medical information is compromised. If it’s been determined that unsecured protected

health information (PHI) has been leaked to unauthorized persons—inside or outside your organization—then “covered entities must provide notification of the breach to affected individuals,

the Secretary, and, in certain circumstances, to the media,” according to the Office for Civil Rights, the division of the U.S. Department of Health and Human Services (HHS) that enforces

federal healthcare privacy and security rules.1

A “covered entity” can include a medical practice, hospital, health insurance plan, or clearing house that handles PHI, and the “Secretary” is the Office of the Secretary of HHS. In addition

to informing HHS, patients have to be told that their information has been exposed.

The phrase about notifying the media in certain circumstances is where providers can get into a lot of trouble. If more than 500 residents of your state are affected by the data breach,

you’ll have to send a press release to your local media outlets: TV and radio stations, newspapers, etc. And this must be done quickly. The law says “without unreasonable delay and in no

case later than 60 days following the discovery of a breach . . . ”1

Once the media has been informed, you may have to deal with several challenging and costly repercussions, including, but not limited to, having to set up an additional call center, offering

assurances to those affected that they’re protected, the possibility of a class-action lawsuit and a general loss of confidence within your local community. Any blow to your reputation may

mean bringing in a public relations firm to handle the fallout. You may also have to hire a credit monitoring service, to protect patients from the risk of having their identities further

stolen.

If, on the other hand, the data breach affects fewer than 500 people, the law doesn’t require media notification but states that you must contact HHS within 60 days after the end of the

calendar year during which the breach was discovered. Nonetheless, you can report these smaller breaches any time before that cut off and in most cases you are better off doing so. The

federal government has a web page specifically designed for healthcare organizations to submit their notification about breaches, large and small, located on the Office for Civil Rights’

website.

And if you believe that the risk of disclosure of unsecured PHI is low, you’ll need to demonstrate that with documentation, which you may only be able to do with the help of a forensic

computer specialist to determine exactly how the breach happened and what was compromised.

Given the cost of most major data breaches today, you will want to bring a lawyer with knowledge of the regulations into the picture to help sort things out. A list of law firms with

healthcare expertise is available at US News & World Report. Major breaches can lead to settlements, which are a legal matter.

Unfortunately, if you’ve waited until this point to consult an attorney, you’ve probably waited too long. Every healthcare organization needs to have a breach response team in place before

an incident occurs. That may sound fatalistic, but it’s more realism than fatalism. Since 2009, more than 143 million Americans have had their data compromised in more than 1300 separate

healthcare-related breaches.2 That translates to roughly one-third of the U.S. population. With those kinds of odds, preparation is the wisest course.

“Have a plan in place and be transparent,” says Andrew von Ramin Mapp, CEO of Data Analyzers, a data recovery and computer forensics firm in Orlando. “You can save time and money by having a

plan in place in the event you experience a data breach. Your plan should seek to identify who had access to the device or system and what data was lost, potential recovery options, and the

impact it may have on your business.”

The response plan, he says, also should include a contact list that identifies IT personnel, a data recovery expert, and legal counsel or law enforcement agencies.

Experian, the large credit reporting agency, takes a similar position in its latest Data Breach Response Guide: “After a data breach has been discovered is not the time to decide how you’re

going to respond or who will be responsible for addressing the many challenges it poses. It’s critical to develop your response plan and build your response team well before you need them.”3

Published: October 02, 2015

References

1. U.S. Department of Health and Human Services. Breach Notification Rule. 2. Peterson A. 2015 is already the year of the health-care hack—and it’s only going to get worse. Washington Post.

March 20, 2015.3. Experian. Data Breach Response Guide, 2014-2015 Edition.More On This Topic Video Polyarticular Pain: Causes You Can't Afford to Miss Flares in Rheumatoid Arthritis:

Prevalence and Consequences Patterns of Opioid Prescribing for RA Patients What Explains the Link Between T2D and Psoriasis? 10 Questions to Challenge Your RA, PsO, and PsA Knowledge Quiz

Make the Diagnosis: Resistant Rash Quiz Make the Diagnosis: Did Summer Job Give Fingers the Blues? Quiz Make the Diagnosis: Skin Fold Mystery