You’ve been breached! Now what?

Nov. 16, 2016
By Marti Arvin, Vice President, Audit Strategy, CynergisTek

Multiple healthcare organizations have been in the news lately for data security compromises. Banner Health, headquartered in Phoenix, announced a data breach involving the records of approximately 3.7 million individuals on Aug. 3. As of Aug. 22, at least two class-action lawsuits have been filed, and there are others assessing whether or not to file additional suits.

Great or small, the disruption such incidents cause to the organization is significant. We may even start to see more disruption associated with smaller breaches. On Aug. 19, the Office for Civil Rights announced an initiative to increase its investigations of breaches involving fewer than 500 individuals.

While there are many things to deal with following a breach, security professionals will need to quickly determine how the organization can return to the day-to-day operation of its privacy and information security program.

Inevitably, when a security lapse occurs, an organization often spends months investigating the incident, perhaps hiring a forensics firm, reviewing a multitude of reports, identifying the number of individuals involved and the nature of the information compromised, and determining if notification is required. So once the point is reached where all the appropriate individuals and agencies have been notified and call center activity has started to dissipate, life can return to normal, right? Probably not. Depending on the nature of the data breach, the organization may still be the subject of investigations by state and federal regulators. There may also be legal proceedings that need to be addressed. There will likely be mitigation activity that is required. All of these activities can take months or even years to resolve.

So, how does the organization continue to focus on the everyday operation of the privacy and information security oversight program? Several factors can impact the smooth return to those routine functions, and the more prepared the organization is to respond to such an incident, the faster its return to normal can be accomplished. The understanding of the organization’s leadership regarding the ongoing requirements associated with the aftermath of the breach, and their willingness to invest resources for those activities, are also important.

Convincing organizational leadership of the need to invest resources is not always easy. After the breach, it might be easy to convince them of the need to quickly implement various mitigation actions to reduce the risk of a new data compromise, but they cannot ignore other activities. There are additional considerations. For example, if the organization is utilizing all of its internal resources to deal with the aftermath, they are not focused on the existing program responsibilities. The need to focus on the aftermath of the security incident may mean the implementation or upgrade of other planned security features is delayed. Regulators will not respond favorably if the reason for new data compromises is the majority of an organization’s resources were tied up in the ongoing response to an incident, and at the expense of ensuring compliance with other provisions of the regulations.

If the security program calls for some form of routine monitoring, auditing, training, and education, those activities cannot be put on hold simply because there are longer term activities to respond to the breach. However, it may not be as clear, and it may be difficult for senior leadership to understand why additional support of the operational functions may need to continue for some time beyond the initial incident.

Organizations need to consider how day-to-day functions will be impacted if those staff members are also tasked with ongoing participation in the cleanup from a security incident. While it can be expected that most employees are willing to put in the extra effort for a short period of time, if this effort extends for months or even years, burnout is inevitable. In today’s world there is a significant market for individuals with the skill sets needed for this work, so the risk of losing staff increases during these times if the organization is not thoughtful and prepared for this possibility.

There are multiple activities that may need to be performed for a period of time after the initial response to the breach, such as increased training and implementing new or revised data security protections, including a data loss prevention tool, creating or improving a security operations center, as well as identifying all of the mobile devices that might store ePHI. These things take time. Shortening the time will usually require more resources. The organization might have had all of these on a risk mitigation plan, but the plan may need to be accelerated as a result of the intervening security incident.

Be prepared to inform senior leadership of the true cost of this and the impact on the day-to-day routine operations of the privacy and information security program. If there is a decision to put other routine functions on the back burner to focus on the continued response to the incident, make sure it is an informed decision. Senior leadership needs to be aware of what this means in terms of the effectiveness of the security program.

It may take some time to get back to the full scope of the routine operations after a security incident. Recognizing this is the first step to recovery. Second is ensuring senior leadership also recognizes this. Senior leadership may also need to be convinced of the need for additional resources to support the ongoing program or the mitigation activities, or both. Like with most things in compliance, being prepared helps reduce the stress, costs, and long-term impact.

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...