Help! We've experienced a breach! What Next?
Just recently, Feinstein Institute for Medical Research agreed to a settlement in the amount of $3.9 million dollars, and to undertake a substantial corrective action plan to bring operations into compliance.
- The cause of the breach was a stolen laptop from an employee's car.
- The laptop contained ePHI and was not encrypted.
- In a nutshell, Feinstein lacked policies and procedures for safeguarding ePHI.
Many of you have probably heard about the cyberattack Hollywood Presbyterian Medical Center experienced.
- The hospital's computer systems were locked up by ransomware.
- Malware locked systems by encrypting files and demanding ransom to obtain the decryption key.
- Ultimately, Hollywood Presbyterian Medical Center paid $17,000 in bitcoins to the cyber criminals so they could regain access to its data.
So far, it doesn't appear patients' medical records were accessed by the hackers. However, their systems were hacked causing a breach in their organization's security.
Unfortunately, the healthcare industry has become an increasingly popular target and these types of incidents are becoming more common.
Reason for concern
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) provides a list ("Wall of Shame") of breaches of unsecured protected health information (PHI) affecting 500 or more individuals. An analysis reveals that in 2015, there was a significant increase in health data breaches.
Now, in 2016, OCR has stepped up their efforts to provide guidance, and when necessary – issue enforcements – in an attempt to help organizations prepare for a breach, ensure proper notification procedures, and ensure proper mitigation have occurred.
Paper is not exempt
Jocelyn Samuels, Director of OCR made it clear – we must safeguard PHI in all forms. Her statement is consistent with the HIPAA Privacy Rule which applies to data in any format, including paper records, electronic records, and oral communications.
Far too often it is easy to forget about paper PHI, and this is one of the reasons why paper is a risk to organizations. While advances in technology have made it possible to gradually move away from paper to electronic systems, we are seeing many organizations still store, still rely on, and in some cases, forget about the paper PHI they have within their walls.
Because paper is not exempt, it is important to think about all paper containing PHI and ensure adequate safeguards are in place to prevent impermissible access, and prevent stolen records.
Because breaches continue to rise, anyone involved in the healthcare industry needs to take this real threat of health data breaches seriously. We all need to ensure we don't have an "oh it won't happen to me" attitude. We need to be prepared as if something will happen.
It is also important to understand that just because a breach happens doesn't mean you or your organization will be penalized – as long as you have done your due diligence to ensure reasonable safeguards are in place, and you properly handle the suspected breach process.
Mitigating Risk of Compromise
Mitigating risk of compromise will vary depending on the size and complexity of the breach an organization experiences. For example, imagine a laptop containing PHI is stolen from an employee's vehicle. Risk of compromise can be mitigated by ensuring the hard drive is encrypted, requiring a unique user ID and strong password to access any PHI, or having software installed that allows for the laptop to be disabled or located from a remote location.
Another example of a common breach organizations experiences is a misdirected fax. For example, an organization learned of a medical provider who recently closed his practice. His previously assigned fax number was assigned to another individual. The organization uses a cover sheet containing a disclaimer notifying the recipient to contact them if they are not the intended recipient. A cover sheet containing a disclaimer is a reasonable safeguard in the event of a misdirected fax.
Mitigating Future Risk
Depending on your State, and depending on what PHI was breached, you may be required to provide credit monitoring and/or identity theft protection to affected individuals. There are several important steps to consider depending on the breach. For example, a misdirected fax may require confirming all pre-programmed fax numbers are correct, reviewing your policies and procedures regarding electronic communications, and re-training staff involved in the sending of a misdirected fax.
Mitigating future risk is a critical step if you experience a breach and must not be overlooked. Mitigating risk goes a long way with OCR.
Follow the Plan – Document Everything
Most of us have heard "if it isn't written, it isn't so." This is especially true throughout the entire breach process.
We can't stress enough the importance of providing timely notification to affected individuals, to the Secretary of HHS, and when appropriate – to your State Attorney General. Maintaining documentation of these notifications, of your risk assessment, and your mitigation steps is critical. We can't stress enough the importance of providing timely notification to affected individuals, to the Secretary of HHS, and when appropriate – to your State Attorney General.
Maintaining documentation of these notifications, documentation of your risk assessment, and your mitigation steps is critical. It is also important to maintain documentation demonstrating when notification to affected individuals and to the secretary of HHS was provided. In the event of a breach involving 500 or more, when notice was provided to the media should also be documented.
It's important to note, stolen devices – such as a laptop from an employee's car – and cybercrime – such as hacking – continue to rise. Security and Privacy professionals report theft of stolen devices and cybercrime are high priority, and often are what keeps them up at night. We can all do our part to ensure the privacy and security of all patient health information we access, share or store. It's important to understand that a breach can happen. If a breach does happen, what's important is what we do to keep the impact of a breach as minimal as possible, how quickly and efficiently we respond. If you have done your due diligence to ensure reasonable safeguards are in place, and you properly handle the suspected breach process – you won't be penalized. We can't stress this enough.
If you have any questions or would like help with a breach you may have experienced, please do not hesitate to contact one of our professional consultants.