- Yesterday, SDG and Cyber Data-Risk hosted a webinar on changes to the definition of a data breach, and how HIPAA-covered entities and their associates can prevent breaches and their subsequent penalties. While federal regulation requires health information be protected by various safeguards, these are not always successful in preventing breaches.
Webinar presenters Christine Marciano of CEO Cyber Data-Risk Managers and John Tate, SDG Executive Vice President highlighted four preventable data breaches from December 2013, all of which involved patient data on unencrypted devices: Barnabas Health of New Jersey, Kaiser Foundation Hospital Orange County - Anaheim Medical Center, Horizon Blue Cross Blue Shield of New Jersey, and Houston Methodist Hospital. These breaches affected between 1,100 and 840,000 patients each, and were likely very costly.
But are data breaches really preventable? The short answer is both yes and no. Marciano noted that breaches resulting from employee negligence—the loss of a laptop, USB flash drive, the misplacement of paper files—are almost entirely avoidable. Rigorous staff training and education, strict file and device handling policies, the encryption of all devices, and the limited use of paper files certainly make an accidental incident unlikely. Hackers and thieves, however, are persistent, and may find ways through any security systems put in place by an organization. The more protection and prevention methods an organization has in place, the better secured they are.
While it may not be possible to prevent all breaches or know when one is about to happen, being prepared to handle a breach is in every group’s best interest. Documenting a plan on how to manage any type of security incident may be time-consuming, but will make life far less hectic should any protected health information (PHI) ever be at risk.
Fundamentals for every plan should include:
- The creation of an incident response team with designated first responders
- A notification “tree” indicating which individuals notify each involved party (HIPAA-covered entities, business associates (BAs), law enforcement, executive level officers, patients, etc.) and at what point in time
- Employee training on breach protocol
- Communication templates and scripts for media and patient notification and contact
The presenters also suggested that healthcare organizations may want to purchase cyber/data breach insurance policies, which may help cover the expenses related to a data breach, including HIPAA fines, patient notification costs, and patient credit and identity theft monitoring services. Policies will also include a privacy attorney to assist in complying with state security and privacy laws, and may provide assistance through a response team.