Protect your organization after a healthcare data breach.
Data breaches can be devastating. Even entities with strict data security and IT policies could easily go the way of one of these 400 health organizations currently listed in the U.S. Department of Health and Human Services’ database. Healthcare organizations continue to account for a significant share of reported data breaches overall.
It’s up to you to protect your patients and organization. These 5 steps will help you stop information from being stolen, mitigate further damage, and restore operations as quickly as possible.
SEE ALSO: HIPAA FAQS
1. START YOUR INCIDENT RESPONSE PLAN
If you suspect a data breach, it's critical to stop information from being stolen and repair your systems so a breach won’t happen again. This begins by executing your incident response plan (IRP).
Set your incident response plan into motion as soon as you discover a breach.
Department of Health and Human Services (HHS) states that an “impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.”
A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to business more quickly. In an ideal world, you should already have an incident response plan prepared and employees trained to quickly deal with a data breach situation.
However, most breached organizations SecurityMetrics has investigated didn’t have an incident response plan at the time of the breach.
With no plan, employees scramble to figure out what they’re supposed to do, and that’s when mistakes are made. For example, they may wipe a system without first creating images of the compromised systems to learn what occurred and to avoid re-infection.
SEE ALSO: What's In Our 2018 HIPAA Guide
2. PRESERVE EVIDENCE
When a healthcare organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data used by investigators to determine how and when the breach occurred, and what to recommend in order to properly secure the network against the current attack or similar future attacks.
When you discover a breach, remember:
- Don’t panic
- Don’t make hasty actions
- Don’t wipe and re-install your systems (yet)
- Do follow your incident response plan
3. CONTAIN THE BREACH
1. Begin by isolating the affected system(s) to prevent further damage until your forensic investigator can walk you through more complex and long-term containment.
2. Disconnect from the Internet by pulling the network cable from the firewall/router to stop the bleeding of data.
- Document the entire incident. Include the following information:
- How you learned of the suspected breach
- The date and time you were notified, and how you were notified
- What you were told in the notification
- All actions taken between notification and the end of the incident
- The date and time you disconnected systems in the PHI environment from the InternetIf and when you disabled remote access
- If and when you changed account credentials/passwords
- All other system hardening or remediation steps taken
3. Disable (do not delete) remote access capability and wireless access points. Change all account passwords and disable (not delete) non-critical accounts. Document old passwords for later analysis.
- Change access control credentials (usernames and passwords) and implement highly complex passwords, or even better, use passphrases (link).
- Segregate all hardware devices in the electronic medical record (EMR) from other critical devices. Relocate these devices to a separate network subnet and keep them powered on to preserve volatile data.
- Quarantine instead of deleting or removing identified malware found by your antivirus scanner for later analysis and evidence.
- Preserve firewall settings, firewall logs, system logs, and security logs. Take screenshots if necessary.
- Restrict Internet traffic to only critical servers and ports outside of the EMR. If you must reconnect to the Internet before an investigator arrives, remove your EMR from any devices that must have Internet connectivity until you consult with your forensic investigator.
4. Contact the HHS (if you haven’t already) and let them know what happened.
5. Consider hiring a law firm experienced in managing data breaches. It won’t be cheap, but they may help you avoid pitfalls that could damage your organization’s reputation. Your law firm may hire a forensic firm to immediately investigate and ensure you’ve properly contained the breach.
4. START INCIDENT RESPONSE MANAGEMENT
Assemble your incident response team
A data breach is a crisis that must be managed through teamwork. Assemble your incident response team immediately. Hopefully you’ve already met and discussed roles during crisis practices and initiated your incident response plan.
Your team should include a team leader, lead investigator, communications leader, C-suite representative, office administrator, human resources, IT, attorney, public relations, breach response experts, and a business associate representative (if applicable). Each brings a unique perspective to the table with a specific responsibility to manage the crisis. In smaller organizations, some people might fulfill multiple roles.
Breach notification rule
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured patient data.
If you’re a covered entity, your statements must be sent to affected patients by first-class mail (or email if the affected individuals agreed to receive notices) as soon as reasonably possible. This notification must be no later than 60 days after breach discovery.
If 10 or more individuals’ information is out-of-date or insufficient (or the breach affects more than 500 residents of a state or jurisdiction), post the statement on your website for at least 90 days and/or provide notice in major print or broadcast media in the affected area.
Covered entities also need to notify the Secretary of the HHS about the breach. If a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. If a breach affects 500 or more individuals, covered entities must notify the Secretary of the HHS within 60 days following a breach (if not immediately).
If you’re a business associate, notify affected covered entities after discovering the data breach immediately (and no later than 60 days after discovering the breach). Identify each individual affected by the breach, as well as any information necessary for statements. Send this information to affected covered entities.
Covered entities could potentially be liable if their business associate is found to be in breach of HIPAA requirements.
Consider public communications
Proper communication is critical to successfully managing a data breach, and a key function of the incident response team is to determine how and when notifications will be made.
Identify in advance the person within your organization (perhaps your inside legal counsel, newly hired breach management firm, C-level executive, etc.) who is responsible for ensuring the notifications are made timely. Your public response to the data breach will be judged heavily, so think this through.
SEE ALSO: How to Send a HIPAA Compliant Email
Disclosures of the breach, both within the company and to the public, should be in accordance with advice from your legal counsel.
Stalling is not in your best interest
Your patients will discover if you keep important breach information from them. If the media marks your organization untrustworthy for withholding information, that label could end up hurting you worse than the other effects of the data breach. Some organizations fall into the, “Let’s make sure we know exactly what’s going on before we say anything at all” trap, but excessive delays in releasing a statement may be seen as an attempted cover-up.
Providing some information is usually better than saying nothing at all. You can always provide updated statements as needed on your website. In all cases regarding public statements, seek the guidance of your legal counsel.
Make sure employees don't announce the breach before you do
Poorly informed employees can often circulate rumors, whether true or not. As a team, establish your media policy that governs who is allowed to speak to the media. Designate a spokesperson and ensure employees understand they are not authorized to speak about the breach.
Get your statements together
Your incident response team should craft specific statements that target the various audiences, including a holding statement, a press release, a patient statement, and an internal/employee statement. These should be communicated to appropriate parties that could potentially be affected by the breach, such as business associates, third-party contractors, stockholders, law enforcement, and ultimately patients.
Your statements should address questions the include:
Which locations are affected by the breach?
How was it discovered?
What personal data is at risk?
How will it affect patients and the community?
What services or assistance (if any) will you provide your patients?
When will you be back up and running, and what will you do to prevent this from happening again?
Explain that you are committed to solving the issue and protecting your patients’ information and interests. Where you deem appropriate, you could offer an official apology and perhaps other forms of assistance such as ID theft monitoring.
5. INVESTIGATE AND FIX YOUR SYSTEMS
Management of a data breach doesn’t end with your public statement. Now comes the hardest part: investigating and fixing everything. Luckily, you’re not alone. If you hire a forensic investigator, they will perform the majority of the investigation and then provide recommendations on how to repair your environment to ensure this doesn’t happen again.
Bring affected systems back on line
After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your PHI environment. During this process, ask yourself these questions:
- Have you properly implemented all of the recommended changes?
- Have all systems been patched, hardened, and tested?
- What tools/reparations will ensure you’re secure from a similar attack?
- How will you prevent this from happening again? (Who will respond to security notifications and be responsible to monitor security, intrusion detection system, and firewall logs?)
Make sure it doesn't happen again
A key part of a successful breach response is what you learned from the breach. After the dust has settled, assemble your incident response team once again to review the events in preparation for a potential attack. Incorporate the lessons you’ve learned and ask, “How can we improve the process next time?” And then revise your incident response plan. Don’t forget to communicate your commitment to data security to the media, even after you’ve repaired the damage.
Don't be caught unprepared
Practice and review your incident response plan with annual tabletop run-throughs and simulation training. If you don’t have a plan, make this a top priority.
With a solid and practiced incident response plan, you and your staff will be ready to stop patient data from being stolen, mitigate further damage, and restore operations as quickly as possible.
Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.