The LA Times published an article last week that despite the recent huge earthquakes, much of Southern California is still woefully unprepared for “The Big One.” Some of the preparation is easy. Backpacks containing emergency provisions can be purchased on Amazon for about a hundred dollars. Other preparation requires a bit more thought, planning and financial investment. You hope you never need it, but it’s really good to have – just in case.
The healthcare industry finds itself in a very similar situation. According to an article on breach preparedness in the latest issue of For The Record magazine, it is not a question of if a hospital data security event will take place but rather when it will take place. Preparation is key – right now – not when you’re operating in crisis mode.
The Threat is Real
Becker’s reports there have been 27 hospital and health system data breaches reported in 2019 affecting as little as a few hundred patients to as many as a million patients. The healthcare industry is a primary target of cybercriminals – we all know this. And, although most, if not all, healthcare organizations have some sort of security framework in place to defend themselves, a 2018 Ponemon report says about 28% of healthcare providers will have a data security event within the next 24 months. Are you ready in case it happens to you?
You Must Have a Plan
There was some really good information in the breach preparation article. One of the key recommendations is to make sure you create a solid plan, so everyone knows what to do. A few high-level suggestions:
- Identify who gets notified the moment a data breach is discovered.
- Determine the cause of the security event, isolate it and shut it down before it grows and before you talk to the public about it.
- Make sure you have all the relevant facts before you communicate with patients or the media.
- Have a press statement prepared in case news of your breach is leaked before you’ve gathered all of your facts.
Here are some other tips from the article:
1. Form a Response Team
Representatives from key areas critical to the response of an incident, such as IT and Legal / Compliance, should be on the core team as should functional areas that rely on the usage of healthcare data, such as nursing leadership, pharmacy, and admissions. If your organization’s IT does not have resources versed in computer forensics, you may wish to contract with an incident response firm in advance or at least have a trustworthy or specifically certified firm in mind. Consider an extended team to include members from patient relations, HR and external partners.
Pre-organize an out-of-band communication channel in case standard communication channels (email, etc.) cannot be trusted as attackers may have access and may be monitoring communications.
2. Educate Your Internal Staff
A part of your plan should be to regularly educate all internal staff members on what to do if they discover a breach has taken place. Time is a critical factor in these instances, and you can’t afford to waste it with employees who are unaware of the appropriate protocol.
Side Note: Over half of healthcare security incidents were triggered by internal users going about their jobs. Many of these were phishing related. So your education should not only include what to do in case a breach is discovered but what to look out for to avoid triggering a breach in the first place. Consider running phishing tests across your organization regularly and follow up on results such as additional training for employees that clicked on attachments or links in the test phishing emails.
3. Conduct Simulations
Just like school fire drills when we were kids, healthcare providers need to fire drill their breach preparation plan. Simulation testing should be on two levels:
- data breach scenario
- data unavailability scenario
Verve magazine recently published an article describing a very real simulation at Maricopa Medical Center in which an emergency room patient was having a stroke and in dire need of a CT. When the ER resident looked at the computer screen, there was a message demanding bitcoin payment. A few minutes later, the same message appeared and shut down the scanner. Scary but not beyond the realm of reality. To make sure your plan is solid enough to handle these types of situations, test it at least once a year.
4. Don’t Forget Trust-Building Initiatives
There are many different state, federal, and international laws and regulatory requirements that must be considered in the details of your plan. Depending on the type of breach, you may be required to report it to the media as well as patients affected by the event. Broad public awareness can cause massive damage to your reputation and the trust you have built within the communities you serve. Make sure your communication strategy doesn’t end at alerting patients or the public of a breach. Rebuilding trust is a longer-term strategy but one that is essential to your reputation. Don’t overlook it.
Your Plan is the Difference
You can do all you can to protect your organization from a data breach, but the reality is you may experience one at some point. How you deal with it determines how long it will take you to recover and how much it ultimately costs you. Consider the following example.
Last year, Under Armour reported a massive breach that affected 150 million users of its diet and exercise mobile app. The company’s response was so swift and well-executed, it was praised in a Forbes article shortly thereafter. About a month after the breach announcement, Under Armour’s share price had increased by more than 9 percent. Compare that to the Equifax data breach affecting 143 million consumers. A month after its announcement, Equifax’s share price had dropped by more than 11 percent. As of July 22nd, 2019, Equifax announced a $671 million settlement.
A plan matters. Make sure you have one, or just like Southern California, you could be left scrambling when “The Big One” hits.