10 Common Security Incident Response Mistakes (And How To Avoid Them)

June 24, 2011
It seems to be the season for major health care industry security breaches. On April 17, the University of Miami announced that six computer back-up

It seems to be the season for major health care industry security breaches. On April 17, the University of Miami announced that six computer back-up tapes containing data on 2.1 million patients were stolen from a vehicle on March 17. Anyone who has been a patient at the university since January 1, 1999 is likely to be included on the tapes. In light of this and other recent high-profile health care security breaches, I thought it would be a good time to review ten common mistakes that organizations make in responding to a breach.

Mistake 1 -- Failing to adopt a security compliance program, including an incident response plan. State security breach notification laws generally require notices to be sent very promptly. In order to be prepared to respond quickly enough, it is vital to have a formal incident response plan.

Mistake 2 -- Failing to follow an incident response plan. In the heat of a crisis, companies sometimes to neglect to follow the security incident response plan that they have adopted. The easiest way to demonstrate that a company failed to act reasonably is to show that it adopted a prudent, industry-standard security incident response plan -- and then failed to follow it.

Mistake 3 -- Overreacting. Even though security breach notifications must be sent promptly, there is always time to conduct an appropriate investigation to confirm the facts of the incident. You may discover what occurred isn't actually a breach at all. However, if you figure that out after you've already mailed notication letters to thousands of your customers, it's impossible to "unring the bell."

Mistake 4 -- Lack of clear communication between lawyers and IT personnel. Terms such as "breach" and "access" can have very different meanings when spoken by lawyers, IT personnel and company executives. Make sure that the members of your incident response team are speaking a common language.

Mistake 5 -- Forgetting that state security breach notification laws differ. If a breach involves patients from multiple states, you must quickly determine which of the states have security breach notification laws, and identify the unique requirements of those laws. For example, the laws of states such as New Jersey, New York and North Carolina require that specific state agencies receive notification of a breach.

I'll cover the other five common security incident response mistakes in my next posting.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?