Data breach response plan: how healthcare providers should respond to a security incident

Bad actors don’t discriminate. They target companies of all sizes across industries. But some sectors, like healthcare, are targeted more than others.

It’s not surprising as 71% of data breaches at hospitals expose financial and demographic data that can lead to identity theft or fraud. In fact, by the end of the year, healthcare data breaches will cost the industry as much as $4 billion

Last April marked the highest monthly tally with 46 healthcare data breaches. So it’s now critical to enhance security protocols to protect patients and avoid massive fines for compliance violations. The bad news is that 2020 is poised to be much worse. 

How should hospitals handle a data breach? 

As no facility is immune to a cyberattack, healthcare providers must devise a healthcare data breach response plan. This approach will ensure higher confidence levels during an active security incident.   

How do you develop a robust response plan? 

Unfortunately, there’s no formula for this or a one-size-fits-all type of data breach solution. Instead, it has to evolve in parallel with the new threat landscape. 

The idea here is to always stay one step ahead of hackers. But before we get ahead of ourselves, let’s define it.

What is a data breach?

A data breach can be described as a security incident where hackers gain unauthorized access to secure databases, applications, and services. It’s a type of a security event that is specifically designed to steal valuable, personally identifiable information.

Data breaches are also often referred to as data leaks or data spills. It can result in data loss, including personal, health, and financial information (and clinics and hospitals have enormous amounts of it).

What are the types of data breaches at healthcare facilities?

To understand how to respond to a security breach, you have to first understand the different types of data breaches that can increase your organization’s exposure to risk. 

According to Intel, the following are the most common types of data breaches that threaten medical facilities:

Cybercrime hacking

These types of security events occur when a bad actor uses tactics like spear-phishing to gain access to healthcare databases. Malware and ransomware attacks also fall under this category.

The WannaCry ransomware attack that took down the National Health Service in the U.K is an excellent example of this type of hacking.

Insider accidents, snooping, and fraud

The weakest link has always been the human element. In this type of security incident, staff with good intentions might unknowingly share sensitive patient data. Often, this occurs when clinicians email unsecured patient information.

At the other end of the spectrum, a security event can also happen when a worker accesses patient records without a legitimate reason. 

This occurred at the Haga Hospital in the Netherlands where 197 employees accessed the medical records of a Dutch celebrity. The security event resulted in a General Data Protection Act violation and a fine of €460,000.

There is also the risk of disgruntled employees using their privileged access to engage in fraud. For example, they can sell sensitive patient information on the dark web for profit.

Loss or theft of hardware and mobile devices

This type of breach occurs because of employee negligence. When a mobile device or media containing sensitive patient data is lost or stolen, it can potentially lead to unauthorized access and a data breach.

For example, this occurred at the Sentara Heart Hospital, where stolen hard drives led to a data leak of sensitive patient data. 

Third-party data processors

This type of a security event occurs when a third-party partner experiences a security incident involving unauthorized access to your sensitive patient information.

If we take the recent data breach at the American Medical Collection Agency (AMCA), for example, it compromised the personally identifiable information of 20 million Americans. 

This information included the names, dates of birth, insurance details, provider, and balance information. This event resulted in numerous class action suits, enormous fines for compliance violations, and bankruptcy. AMCA’s four largest healthcare clients ceased operations after this massive breach.

Now that you know what to look out for, it’s time to develop a response plan.

Key Characteristics of a Healthcare data breach response plan

Responding to a data breach is never easy, but having a solid plan can help keep everyone calm while reacting adequately to an active security incident. 

It might help to include this in your organization’s crisis management plan because a breach is essentially an emergency. 

So what should we include in the healthcare data breach response plan? Here’s a checklist. 

  1. Assess the risks and address the vulnerabilities because prevention is key to lowering your exposure to risk. This is also the perfect time to vet all third-party partners.
  2. Alert trained staff who are ready to manage an active breach. Regular training will be critical to successfully managing an active breach.
  3. Set up protocols to identify what exactly happened. Did it involve legally protected information? Was there any material loss? Knowing this information will help you decide what to do next.
  4. Take steps to secure all data. At this juncture, the recovery team will need to act fast to contain and reduce the impact of the security incident.
  5. Change all passwords and encryption keys. You should do this as soon as all the affected machines have been put on lockdown.
  6. Clear all malicious code from the entire system. If the breach involved viruses or malware, you should set aside enough resources to clear them.
  7. Identify the source of the breach and alert the authorities. If you need external help, don’t hesitate to reach out to a data breach expert. Before you contact law enforcement, get your legal counsel involved.
  8. Protect all digital evidence and present it to the relevant authorities. It’s crucial to have protocols in place to collect as much information as possible to use as evidence. This approach can help reduce the impact of the incident when class action lawsuits and regulatory fines kick in.
  9. Notify all data owners of the breach and be honest. Having a data breach notification email template ready can help accelerate this process.
  10. Activate damage control. Set your public relations teams in motion to limit the damage to your organization’s reputation. It’s essential to do this quickly, clearly, and transparently. Be upfront about what you know and be honest when communicating information about the security incident.
  11. Learn from this experience. Does your data breach response plan need to be amended? What worked well? What didn’t? Don’t be afraid to make changes to your plan if it didn’t work as well as expected.
  12. Prepare for the next breach. It’s always best to be ready to respond to the next potential cyber attack.

For your healthcare data breach response plan to be effective, you’ll need the full support of all your senior management teams. This makes it important to make sure that they are involved from day one. 

You should also make an effort to keep the plan as simple and straightforward as possible. The last thing you want is confusion during an active breach.

It will serve you well to keep reviewing and testing your plan as often as possible. This means that you should always look for holes and discrepancies and fix them immediately. 

After all, your data breach response plan will be worthless if it’s not effective. Make sure that everyone knows how to handle a data breach and what to do after a data breach.

If you need assistance creating a healthcare data breach response plan, we can help. Schedule commitment-free consultation with one of our in-house cloud security experts



nach oben