What Happens When a Health Facility Experiences a Data Security Breach?

Written by Abby Nieten on August 9, 2017

Posted in Healthcare, IT + Security

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year.

But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin.

You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals.

The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach.

The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach.

Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation.

Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks.

Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click below to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.