Medical identity theft is undeniably one of the biggest challenges facing the healthcare industry today. The guidelines laid out by HIPAA provide an excellent frame of reference to help better protect patient data. When you are faced with a breach, however, what’s the best response? Here’s a look at 20 tips from the experts.
Source: freedigitalphotos.net/Stuart Miles
1. Locate Breach
The very first thing to do if you suspect a breach is to find it. No other steps can be taken without knowing exactly what you’re up against.
After identifying the breach, the next step is containment. The goal here is the IT equivalent of stopping the bleeding, whether that means disabling compromised accounts or blocking access to infected machines.
3. Damage Control
Damage control begins as soon as the immediate threat is under control. Determine what was accessed, and investigate other potential vulnerabilities to gauge the extent of any collateral damage.
4. Restore Services
Your organization must continue functioning effectively, and this means getting critical systems up and running again as quickly as possible. Once you’re sure that you’ve accurately identified and contained the source of the breach, restore essential services.
5. Internal Notification
Next, develop an internal report that notifies everyone from the ground up about what just happened. This is important for managing the rumor mill, but also contributes to the U.S. Department of Health and Human Services documentation requirements.
6. Be Honest
Don’t bother trying to combine sugarcoating and information dissemination. Just be honest and explain the facts behind the breach.
7. Change Passwords
Change all passwords and authorizations right away. It’s hard to tell how much information a hacker had time to grab, so err on the side of caution.
8. Preserve Evidence
As you’re doing things like changing passwords and containing the breach, be sure to save evidence of both the breach itself and the corrective measures you’re taking for future reference.
9. Gather Documentation
The OCR will require extensive documentation, including but not limited to: a copy of your most recent risk assessment, records of corrective action taken to correct the breach, proof of plans to prevent future recurrence, and much more.
10. Report Immediately
Although you technically have 60 days to report the breach to HHS and the press, it’s better to go public sooner rather than later. This shows that you’re taking the issue seriously, which in turn bolsters confidence in your organization.
11. Inform HHS
Tell HHS about your breach. Remember, any incident that affects more than 500 patients should be reported directly to the Office of Civil Rights.
12. Contact Your Patients
All companies are required to inform potentially affected individuals that a breach has occurred. Again, this should be taken care of as quickly as is reasonable, for the same reasons mentioned above.
13. Tell the Media
As the saying goes, he who breaks the story controls the manner of its release. Acknowledging the breach openly with the media is much better PR than trying to cover anything up.
Everyone makes mistakes, but those who make an effort to rectify those mistakes rebuild trust in their organization that much faster. Do the right thing by offering help where help is needed.
15. Offer Resources
As part of the remediation process, provide resources to patients who are concerned about their privacy. For example, you can create a dedicated 1-800 number help line for affected parties to easily get answers to the questions they have, or offer free credit monitoring for one month.
If your data breach resulted from a clear internal violation of your existing policies, the responsible party has to suffer the appropriate consequences. Take the necessary steps to discipline where called for.
17. Review Policies
Any data breach is a good indicator that it’s time to review your processes and policies to prevent similar incidents in the future.
Further investigation of the breach could reveal that remedial training is required to ensure that all employees are in compliance with current data guidelines.
19. Promote Awareness
Most healthcare organizations have a great number of various policies and procedures that employees are expected to follow, and it’s possible that data security concerns could get lost in the shuffle. Encourage awareness of the importance of HIPAA compliance, and make it clear that ignorance is not an acceptable excuse for noncompliance.
While all of these steps are important for handling a data breach with professionalism and grace, the truth is that prevention is still the best policy when it comes to keeping information secure. Going the extra mile now to limit the potential of dealing with fallout later on is well worth the extra effort.
Written by Dean Van Dyke
Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.