- Health data breach response has many facets. This much, healthcare security professionals know. But properly responding to a breach starts even before breach response actually begins, said Rebecca Herold, CIPM, CISSP and CEO of The Privacy Professor and Rebecca Herold & Associates in Des Moines, Iowa.
Not defining or understanding what constitutes “personal information” subject to breach response and notices can be a major problem for healthcare organizations. In fact, Herold visited a healthcare organization recently that experienced a customer seeing another customer’s account data on their screen as a result of a programming upgrade error. The organization said, “Well, they only saw the other person’s name, address and phone number. No patient data. So that’s not a breach, right?”
“I explained that those items are protected health information (PHI) under HIPAA,” Herold said, “and so must be reported as a violation and likely breach.”
Keeping the workforce informed
Kate Borten, president of the Marblehead Group in Marblehead, MA, said she continues to see organizations struggle with adequate privacy and security incident response. Organizations must “lay the groundwork through workforce awareness and training to immediately report all suspected and actual privacy and security incidents, no matter how trivial they seem,” Borten said.
For example, Borten cited, a hospital employee sends an email with PHI to another hospital, but it’s the wrong hospital, or to the wrong physician. “These are privacy and security incidents that should be reported and investigated,” she said. “They are most likely violations – and the Department of Health and Human Services (HHS) expects organizations to respond — but probably not breaches.”
No privacy, security silos
Another problematic area Borten sees is the artificial separation between privacy and security. “In fact, when it comes to HIPAA privacy violations,” she said, “they are almost certainly also security (confidentiality) violations. Organizations’ privacy and information security officers should jointly ‘own’ their Incident Response Plan.”
Borten also said include in the incident response plan decision trees for breach determination; not only for HIPAA, but also for all state breach notification laws to which the organization is subject. “The plan should also clearly define what data is subject to each regulation,” Borten said. “Incidents may be both a HIPAA breach and a state breach, or only one or the other, or neither. There remains confusion about this, even among some legal experts who should know better.”
CISO strategies for success
Herold shared with us some activities that all CISOs, in collaboration with their CPOs, should do when it comes to incident response plans:
Know where personal information, in all forms, is located – Maintain a documented information inventory. You can’t know if personal information has been breached if you don’t know where it is located.
Document detailed breach identification and response policies and procedures – Many organizations have poorly written policies that are not specific to their actual business practices, and their procedures lack sufficient details.
Assign breach response and management responsibility – There should be a point person to lead and coordinate all activities. If not, there will be multiple people trying to the same activities, some not doing important activities, and inefficiency all the way around.
Test the breach procedures – Too many organizations think that if they have words on paper, they’re done. If you don’t actually test your breach response procedures, through a table top dry run, you could end up having completely unworkable procedures when a real incident and breach occurs.
Collaborate between the information security, privacy, IT and legal offices – Without collaboration, mistakes occur, activities are overlooked and bad decisions are made.
Provide more training for breach response – Herold said she’s had a growing number of organizations coming to her for breach response training in the past year, up significantly from previous years. It seems organizations are starting to realize they need to do more to be prepared than just identify a person to handle a breach, and write their name and phone number down.
Get in tune with all breach notice laws – “Many of my clients, especially the small and mid-sized ones that are BAs that are also doing work for entities in other industries, think they only need to follow HITECH breach notice requirements,” Herold said. “They have always been surprised to learn that there are currently at least 50 U.S. state and territory breach notice laws they must also follow, as applicable to where the individuals impacted reside.” Breaches involving the PHI from healthcare CEs are usually covered in such situations, she added, unless there are some data items outside of the definition of PHI.
Know the laws of all the states where the impacted individuals reside must be followed – Too many healthcare professionals and lawyers think they only have to follow their own state’s breach notice laws, even though they may have the personal information of folks from many other states, and countries. “I have found this to be the case a lot in the information security and privacy classes I teach,” Herold said.
Ultimately organizations must cut through the perceptions of what constitutes breaches – without that starting place, what good is a response plan after all? “Too many organizations have a misconception,” Herold said, “about the types of information that qualifies as ‘personal information’ when a breach occurs.”