Breach Resolution: A Success Strategy
Tips for Effective Breach Prevention, Detection, NotificationA key to developing a successful data breach prevention, detection and notification program is to gain buy-in from senior management and board members, Krenek stresses. Winning support requires educating leadership about the potential financial and reputational costs of breaches, he adds.
HealthcareInfoSecurity's inaugural Healthcare Information Security Today survey, which was co-sponsored by Experian, reveals that 43 percent of organizations grade their ability to counter information security threats as poor, failing or in need of improvement.
In an interview about the survey results, Krenek says healthcare organizations need to hire a chief privacy officer or chief information security officer to lead the effort to prevent breaches and comply with federal and state regulations, including the HIPAA breach notification rule.
"Preparing for a data breach means outlining exactly what steps you'd take to bring things under control if one occurs," Krenek adds. "So a written plan is absolutely key."
In the interview, Krenek provides nine breach resolution tips, including:
- Offering annual compliance training;
- Designing a "security strategy that is flexible enough to address changing threats and legal requirements;"
- Avoiding "waiting until the last minute" to create plans for consumer breach notification, identity theft protection and other post-breach details;
- Conducting a "mock data breach" to detect gaps in your breach resolution plans.
Krenek, senior director at Experian® Data Breach Resolution, has managed resolution for many of the largest data breach incidents in the healthcare, financial and government sectors. Certified in Healthcare Compliance (CHC), he is currently the dedicated data breach resolution account manager for one of the nation's largest healthcare plans. He specializes in pre-breach planning, incident management and identity protection solutions.
Complete survey results are now available.
Countering Threats
HOWARD ANDERSON: In the survey, we asked participants to grade their organization's ability to counter external and internal information security threats. Forty-three percent graded their ability as either poor, failing or in need of improvement. Why do so many organizations still have such a long way to go when it comes to countering threats and preventing breaches, do you think?
BOB KRENEK: I think there are many, many factors, but ultimately I believe it comes down to key leadership has not bought into the whole process. And by key leadership, I not only mean just the CEO, but the board needs to be involved as well. I think there is probably a lack of understanding of the impact that it might have on the particular hospital or healthcare entity. By impact, I mean a couple different things. One is the financial, which would be HIPAA and HITECH, which non-compliance basically equates to fines. Then secondly are the brand or reputation risks that are part of that as well. One of the other factors that are affecting people in their compliance with this is the bad economy. As I'm assuming you are aware, the cost to protect data is getting more and more expensive, and to come into compliance is very costly. The bad economy, I think, has had some effect on that as well.
I would recommend ... hiring a CPO, or chief privacy officer, or chief information security officer, that reports directly to the board. Again, I think having them report directly to the board can pay some very large dividends. Then I think it's kind of fallen off of everybody's plate [that] HIPAA mandates a risk assessment. And you saw in your survey, a lot of these folks have not even done a risk assessment.
Nine Steps
ANDERSON: The survey showed that only half of organizations have a detailed plan in place to comply with the HIPAA breach notification rule that was mandated under the HITECH Act. I understand you have a list of about nine suggestions for data breach prevention, detection and notification. Why don't you walk us through each of those steps?
KRENEK: Preparing for a data breach means outlining exactly what steps you'd take to bring things under control if one occurs. So a written plan is absolutely key. There's a lot to lose if your organization experiences a breach of PHI, and if the breach catches you off guard you may pay severe fines and reputation damage from mishandling it. There are steps that your organization can take to help minimize risk associated with the data breach.
The first thing I would recommend is that they appoint a responsible party. Every organization needs a dedicated resource to handle the privacy and security issue. This person or team should implement process improvements, review non-compliance issues and initiate any investigations and assign leadership for all legal and notification efforts in the event of a breach. Again, as I had mentioned earlier, I think the chief privacy officer or the CISO would be definitely a benefit in that role.
... Healthcare organizations need to make annual compliance training a priority. A variety of individuals require access to PHI to perform their jobs, and everyone needs to be aware of the risks associated with mishandling PHI. The more informed everyone is in your office, the stronger your compliance efforts will be.
The next would be to observe information. Automated monitoring of employee and patient information will alert organizations to possible data breaches often before they spiral out of control. Additionally, I would instill a compliance culture. I think compliance does not just happen. It has to be built in to the culture, and all individual staff, contractors and partners must be diligent in their compliance and alert the responsible party to process and/or individuals who may be operating outside of the privacy policy.
Next would be to design a long-term plan, develop a formalized security strategy that's flexible enough to address changing threats and legal requirements. Again, that needs to be updated as needed. Then, leverage response efforts. If a data breach occurs, know in advance whom you are going to call for forensic analysis of the breach, as well as data breach resolution services, including consumer notification, call-center support, identity theft protection and fraud resolution services for affected individuals. Again, waiting to the last minute for implementing something like this is kind of adding a little bit of insult to injury, because now you're in crisis mode, hiring people as well as preventing a breach.
Next, organize notification. Various state and federal laws mandate notification timelines and standards. Breach notification should occur in a timely, thorough and clear manner following company awareness of the breach, and engage the data breach resolution provider to keep your notification efforts to comply on track.
A couple more items would be to secure the most vulnerable customers in order to mitigate the risk of new account fraud from occurring among customers with exposed PHI. Offer complementary subscriptions for identity theft protection and fraud resolution, including that of a healthcare notification if their health card identity is actually used.
And I think this is pretty much a given, but sympathize with the consumers, maintain open communication with and provide assurance to the affected individuals that the situation is being professionally addressed through a robust data breach resolution program. How you handle or mishandle a data breach response can help you to reduce or increase potential consumer fallout for a company and also help to mitigate financial risk.
... Don't forget again that HIPAA does mandate that you conduct a risk assessment. And the reason I bring this up is not only just for the healthcare entity, but as you work with your business associates, do you have those agreements in place to make sure that they are HIPAA-HITECH compliant? As you can see, data security is sure to remain an important initiative and challenge for the healthcare organizations. You just need to make sure that you're prepared if your security measures are compromised and a data breach occurs.
Reviewing Data Breach Programs
ANDERSON: Finally, how often should a healthcare organization review and update its data breach prevention, detection and notification program?
KRENEK: I recommend a minimum of one time per year, or as laws change, but a minimum of one time per year. Ideally it would be a couple times a year. Again, as we had mentioned earlier, what about the business associates? Are they keeping up to date with new laws and the new changes that are mandated either by state law, HIPAA or HITECH? The other thing that I would recommend is that you also do continuous training, as we had mentioned earlier regarding building a compliance culture. Something that we do within our organization is we actually do a monthly e-mail, what I call a one-pager that updates people on their role with privacy within our company.
The other thing I recommend is: Have you done a mock data breach to detect holes in your plan? So not only have your plan put in place, but make sure you've actually exercised it. As we mentioned earlier, the costs are just too big to ignore, whether it be financial or whether it be on the reputational side.