Best Practices for Responding to a Healthcare Data Breach

In 2018, the healthcare industry saw more than 15 million patient records stolen or compromised in some way over the course of 503 data breaches. But by the halfway point of 2019, the industry aw that number surge to more than 25 million patient records, highlighting a major need for cybersecurity health and breach response plans.

These breaches, like the Quest Diagnostics breach last summer that saw 12 million records compromised in one incident, are gaining steam in the sector, hurting industry stakeholders and patients. Whether it’s a third-party vendor opening the door to phishing attacks or infiltration of a system to gain personal data, such as Social Security Numbers, these attacks need to have an effective response plan in place by those affected.

Cyberattacks Are Inevitable

In a perfect world, all data breaches would stop or be stopped in their tracks, but this isn’t possible. With cyber hackers targeting healthcare providers for health information, data breaches are only going to increase. In fact, data breaches won’t just be a one-time thing for hospitals and doctor’s offices alike, as attacks will land on them multiple times, maybe by the same culprit.

It’s important for these entities to develop a health data breach response plan that can be deployed immediately in order to discover a cyberattack or malware infection. The goal here is to limit the impact of the attack so that the issue doesn’t spread. Another way to limit exposure and impact is by investing in healthcare cybersecurity insurance that will provide entities the right resources to take care of settlements, patch things up following an attack, and find resourceful legal representation to help with legal guidance.

Response Plans

Following a data breach, hospitals and medical offices should take a good assessment of the damage they have on their hands, looking into how widespread it is and how many people were affected. After risks have been assessed and taken into account, a risk management plan should be installed and implemented to address any vulnerabilities that helped lead to the breach. A review of policies and procedures should be taken into account in order to help determine whether policy updates are required.

Following first impressions, a breach report should be submitted to the Department of Health and Human Services via the HHS’ Office for Civil Rights breach reporting platform. Notifications should also be sent out to all individuals impacted by the breach, letting them know of the nature of the breach, what information was exposed or stolen in the process, and what the hospital or medical officer is doing in response to the breach.

Healthcare organizations must also comply with state data breach laws. Currently, 48 states in the nation have introduced some form of data breach laws that require faster notifications and the provision of credit monitoring and identity theft protection services to those affected by the breach.

The response plan should enable resources to be sent out to handle the breach without impacting the organization on a bigger scale. There may be a need to bring in cybersecurity experts to weigh in on how to move forward after notifying the public and looking at vulnerabilities in the network.

Lastly, the IT department of a hospital or medical organization will be taking on the brunt of the breach response tasks, so it’s important that the department’s staff understand the steps that need to be taken and in what order.

About Highland Risk Services

At Highland Risk, we use our expertise and experience to provide insurance information and programs to those who serve long-term care and senior living facilities. Since 2007, we’ve been offering insurance and risk management plans designed to help our agents give their clients the ability to achieve continued growth while simultaneously protecting against loss, containing costs and increasing profitability. With offices to serve you in Chicago, Illinois and Phoenix, Arizona, we do everything we can to make your experience with us as professional and transparent as possible. To learn more, contact us at (877) 890-9301.