Risk Management Tools & Resources

 


Preparing for the Inevitable: Security Incidents and Data Breaches

Laura M. Cascella, MA, CPHRM

security-incidents-data-breaches

In an ideal world, putting in place proactive security measures would guarantee the safety of protected health information (PHI) and other confidential data. However, experience has shown that even well-guarded networks and systems can be infiltrated, resulting in compromised infrastructure, privacy and security violations, and even data losses (for example, in cases of ransomware).

Security incidents and data breaches might be malicious or inadvertent, and they might come from within or outside of a healthcare organization. Further, not all incidents and breaches occur through technology; for example, failure to properly dispose of hardcopy records can lead to a security violation and data breach.

With the knowledge that these types of events “are no longer a probability but an inevitability,”1 healthcare leaders, providers, staff, and vendors should take steps to prepare. Failure to prepare can worsen the outcomes of an incident or breach and increase financial losses associated with damage control.2

Common sense preparation includes developing an incident response plan, understanding requirements for notifying affected individuals, being aware of reporting requirements, establishing documentation standards, and planning for corrective actions and training.

Developing an Incident Response Plan

Proactively planning for security incidents and data breaches can help facilitate a prompt and efficient response when an event occurs. Healthcare organizations should identify privacy/security officers who can assist in overseeing policies and developing response procedures. Additionally, organizations should implement incident response teams to carry out action plans.

Although each organization’s incident response plan will vary based on the characteristics of the organization (e.g., size, systems, and resources), individuals creating or updating the plan should consider including information about (a) what qualifies as a security incident or data breach; (b) federal and state laws; (c) staff roles and responsibilities; (d) detection, analysis, and containment; (e) communication; and (f) security vendors and experts.

Security Incident and Data Breach Definitions

Defining what qualifies as a security incident or data breach can help the privacy/security officer, the incident response team, and staff members know what actions to take. Generally, a security incident is “an event that compromises the integrity, confidentiality or availability of an information asset,"3 while a data breach is “an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information.”4

Using these definitions, a security incident might involve a stolen laptop that contains electronic PHI (ePHI). If the ePHI was not encrypted to protect privacy, it is reasonable to believe that an unauthorized person could have viewed the information — thus, a data breach has occurred. However, if the ePHI was encrypted and the encryption key was not stolen, it is reasonable to believe that the ePHI was not accessed by any unauthorized individuals — thus, a security incident has occurred, but not a data breach.

Definitions should cover both electronic and physical types of security incidents and breaches (e.g., cyberattacks, lost laptops, improper destruction of data, etc.) as well as the steps that the incident response team will take to determine whether an incident and/or breach has occurred.

Federal and State Laws

Healthcare organizations should be aware of their obligations under the HIPAA Privacy, Security, and Breach Notification Rules for protecting patient information and for responding to and reporting security incidents and data breaches. For more information, see the Center for Medicare & Medicaid Services’ HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules and the U.S. Department of Health and Human Services’ (HHS’) information on HIPAA for Professionals.

All 50 states, Washington, D.C., and some U.S. territories also have laws regarding data breaches. Healthcare organizations should build guidance into their incident response plans that is consistent with applicable state or territory laws. For more information, see the National Conference of State Legislatures’ information on Security Breach Notification Laws.

Staff Roles and Responsibilities

The privacy/security officer, members of the incident response team, and other staff members should be aware of their roles and responsibilities for reporting and responding to security incidents and data breaches. The incident response plan should clearly assign accountabilities by position/qualifications and ensure ample coverage for critical activities.

Security incident and data breach reporting and response accountabilities also should be included in written job descriptions for relevant positions, and these accountabilities should be reviewed periodically to ensure appropriate delegation and to identify possible gaps.

Detection, Analysis, and Containment

The incident response plan should identify the ways in which the organization routinely scans systems and monitors for security incidents and data breaches. Early detection can help isolate any issues and minimize negative outcomes.

The plan also should include steps for analyzing incidents and breaches that occur (e.g., what happened, how it happened, which systems were affected, whether data was inappropriately disclosed, etc.) and taking immediate action to contain the situation and address vulnerabilities.

Communication Strategy

Communication is critical when responding to a security incident and possible data breach. The privacy/security officer, incident response team, and other staff members will need to coordinate and share information to effectively execute appropriate protocols.

The communication strategy should take into account various security and breach scenarios and include contingencies for communicating in the event that systems must be shut down or taken offline.

Security Vendors and Experts

Healthcare organizations may choose to enlist the services of outside security vendors and consultants to assist in responding to security incidents and data breaches. Establishing these relationships in advance, making staff aware of these resources, and determining what information vendors and consultants will need to perform their services will help expedite the incident response plan.

Notifying Affected Individuals

When a security incident occurs, healthcare organizations are obligated to notify individuals whose PHI was inappropriately accessed, acquired, used, or disclosed.5 Breach notification letters are required regardless of the number of people affected, and the letters should be sent within 60 days of the discovery of the data breach. Although 60 days is the maximum time allotted, healthcare organizations should send the notifications as soon as reasonably possible.6

The breach notification letters should be written in plain language and include information about the nature of the breach, what data were compromised, what steps the healthcare organization is taking to respond to the situation and reduce damage, how the organization intends to prevent future incidents, and what steps affected individuals can take to limit harm. The letters should include contact information (a toll-free phone number, physical address, and email address) that recipients can use to contact the organization for further information.7

The HIPAA Breach Notification Rule also stipulates that breach notification letters must be sent via “first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.”8

In the event that the organization has insufficient or outdated contact information for 10 or more affected individuals, HIPAA also requires the organization to post notice of the breach on its website for at least 90 days. Alternatively, the organization can provide notice of the breach in major print or broadcast media in areas serving the affected individuals.9

Healthcare organizations also should determine whether any state-specific laws apply to breach notification, such as requirements for expedited notification or the provision of credit monitoring and identity theft services.10

Reporting to the Appropriate Regulatory Authorities and Media

In addition to notifying individuals who are affected by a data breach, healthcare organizations also must report data breaches to the appropriate authorities and entities as specified in federal and state law.

Determining the scope of the breach is an important factor in understanding reporting requirements under the HIPAA Breach Notification Rule. Organizations will need to know whether the breach affected more than or fewer than 500 individuals.

  • Breaches affecting more than 500 individuals. The healthcare organization must notify HHS without unnecessary delay and within 60 days of the breach discovery. Reporting is done through an Office for Civil Rights (OCR) web portal. The organization also must notify a prominent media outlet in the area in which the affected individuals are located within 60 days of the breach discovery.11
  • Breaches affecting fewer than 500 individuals. The organization must notify HHS of the breach via the OCR web portal no later than 60 days after the end of the calendar year in which the breach occurred.12 For example, a breach affecting fewer than 500 people that occurs in July 2022 must be reported to HHS no later than March 1, 2023.

Under state law, healthcare organizations also might be required to report breaches to the state attorney general.13 The incident response plan should include complete information about all federal and state reporting requirements.

Further, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require healthcare organizations to report cyberattacks to the Department of Homeland Security (DHS). The new law, signed March 15, 2022, requires organizations in critical sectors to disclose any cyberattacks to the government within 72 hours of discovery and 24 hours of ransom payment.14 The law could take up to 36 months to go into effect.15

Documentation

It is essential for healthcare organizations to not only take action when a security incident occurs and confidential data are exposed, but also to document those actions for record-keeping and auditing purposes. Documentation should include details about:

  • What happened and how it occurred (as determined by an analysis of the incident)
  • How the organization responded to the data breach
  • How affected individuals were notified of the data breach (including proof that notification letters were sent)
  • When the data breach was reported to HHS, state authorities (if applicable), and the media (for breaches affecting more than 500 individuals)

If a security incident occurs but confidential information is not exposed, healthcare organizations should still document details about the incident as well as evidence supporting the decision not to send breach notification letters. When CIRCIA goes into effect, healthcare organizations also should document their notification to DHS of any cyberattacks.

Planning Corrective Actions and Training Staff

Once a security incident has occurred and the event has been analyzed, system and process vulnerabilities will likely come to light as well as opportunities to strengthen security protocols. Healthcare organizations should specifically address the factors that led to the incident and implement solutions to prevent similar events and other types of security lapses. The HIPAA Journal notes that “Government and regulatory bodies will expect to see security vulnerabilities addressed rapidly following a breach of PHI. A data breach may not warrant a HIPAA fine, but a failure to address security risks will.”16

Additionally, knowledge gleaned from analyses of security incidents and data breaches should be used to inform staff education and training opportunities. Staff members should be aware of the organization’s security plan and incident response procedures, particularly if they have specific responsibilities in relation to the security protocols. Tabletop exercises and drills can help reinforce a coordinated, quick response to a security threat.

In Summary

Proactive measures can significantly reduce the risks associated with security incidents and data breaches, but even highly secured systems can be circumvented. Because security incidents and breaches are not just a possibility, but also a probability, healthcare organizations should have thorough incident response plans and teams that are prepared to quickly take action. Preparation and a timely response can minimize damages and financial losses and help avoid unnecessary chaos in the aftermath of an incident.

Endnotes


1 HIPAA Journal. (2015, October 2). How to respond to a healthcare data breach. Retrieved from www.hipaajournal.com/how-to-respond-to-a-healthcare-data-breach-8128/

2 Ibid.

3 Verizon. (2022). Data breach investigations report. Retrieved from www.verizon.com/business/resources/reports/2022/dbir/2022-data-breach-investigations-report-dbir.pdf

4 U.S. Department of Health and Human Services. (2013, July 26). HIPAA for professionals: Breach Notification Rule. Retrieved from www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

5 HIPAA Journal. (2020, October 4.) What are the HIPAA breach notification requirements? Retrieved from www.hipaajournal.com/hipaa-breach-notification-requirements/

6 Ibid.

7 Ibid.

8 U.S. Department of Health and Human Services, HIPAA for professionals: Breach Notification Rule.

9 Ibid.

10 HIPAA Journal, How to respond to a healthcare data breach.

11 U.S. Department of Health and Human Services, HIPAA for professionals: Breach Notification Rule.

12 Ibid.

13 HIPAA Journal, What are the HIPAA breach notification requirements?

14 Gonzalez, G. (2022, March 17). Healthcare organizations now must report cyberattacks to DHS. Becker’s Hospital Review. Retrieved from www.beckershospitalreview.com/cybersecurity/healthcare-organizations-now-must-report-cyberattacks-to-dhs.html

15 Eversheds Sutherland. (2022, March 30). The Cyber Incident Reporting for Critical Infrastructure Act of 2022. JD Supra. Retrieved from www.jdsupra.com/legalnews/the-cyber-incident-reporting-for-6058324/

16 HIPAA Journal, How to respond to a healthcare data breach.