Mitigating Cyber Risk — Responding to a Breach
How to respond if you have a reasonable suspicion that your patients’ data has been compromised.
If a breach is found, you are then required to notify affected patients. The investigation and notification process is generally lengthy and complex, and cumulative costs for these requirements are likely to be very high.
If you suspect your data has been breached, respond quickly with the following steps:
- Hire an attorney who is experienced in data breach law. Because this is an emerging specialty, it may be difficult to find a lawyer with this type of experience.
- Hire an IT forensics expert who can help identify the cause and possibly even the source of the breach.
- Once the legal and forensics reviews are underway, notify the affected individuals. Most laws require you to notify patients with letters sent through the U.S. Postal Service.
- Notification letters are likely to cause recipients to call for more information. In cases of large numbers of affected patients, hiring a call center may be the most efficient option. Call-center personnel are trained and can deliver a consistent message to callers.
- Finally, a standard industry response to a substantial breach is to provide a remedy to affected individuals, such as a credit-monitoring service.
Prepare for Lawsuits
To add further complication to an already difficult process for practices and patients, trial attorneys are creating a new niche for themselves: data breach class actions. Large data breaches are often associated with expensive litigation and settlements, and a growing number of attorneys are now prospecting for well-publicized breaches. These attorneys will aggregate a class of affected individuals to sue providers for statutory damages, citing laws created well before the rise of cyberattacks. Though only a small number of these lawsuits have made it to court, providers who are sued must still defend themselves. Be sure to enact an effective, quick response once you experience a breach. The trial attorneys will endeavor to discredit your response to build their case.
As discussed earlier, state or federal regulatory agencies are likely to investigate substantial, well-publicized breaches. The OCR is a well-staffed, well-funded agency that likes to make examples of organizations that do not adequately protect the personal information of their patients. Fines are possible, and the damage to your reputation can linger for years.
Plan your Response Now
The single most important element in preventing or minimizing a data breach is to develop and implement an Incident Response Plan (IRP). An IRP will vastly improve the timeliness of your response to a breach. Regulators and trial lawyers will look very closely at your response, so acting sensibly and having a strategic, structured plan in place makes all the difference in the world. In the heat of the moment, you do not want to scramble and improvise.
To prepare a strategic breach response, build an IRP that contains these three elements:
- Adopt robust system controls, especially encryption for laptops and mobile devices. Some of the largest breaches have occurred because of lost or stolen laptops or smartphones. Encrypting the data on these devices ensures safe harbor. Most state laws concerning breaches have safe harbor provisions for organizations that encrypt data. Be aware that password protection is not encryption.
- Train staff to reduce your exposure to breaches. The goal is to protect information and patients and to help employees understand how to treat data. All trainings should be documented.
- Transfer risk. Insurers are offering more products that directly address data breach risk and will help cover many of the costs you’ll incur when you investigate and respond to a breach. It’s important to have the right coverage built into your overall risk management plan.
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.