It seems to be the season for major health care industry security breaches. On April 17, the University of Miami announced that six computer back-up tapes containing data on 2.1 million patients were stolen from a vehicle on March 17. Anyone who has been a patient at the university since January 1, 1999 is likely to be included on the tapes. In light of this and other recent high-profile health care security breaches, I thought it would be a good time to review ten common mistakes that organizations make in responding to a breach.
Mistake 1 -- Failing to adopt a security compliance program, including an incident response plan. State security breach notification laws generally require notices to be sent very promptly. In order to be prepared to respond quickly enough, it is vital to have a formal incident response plan.
Mistake 2 -- Failing to follow an incident response plan. In the heat of a crisis, companies sometimes to neglect to follow the security incident response plan that they have adopted. The easiest way to demonstrate that a company failed to act reasonably is to show that it adopted a prudent, industry-standard security incident response plan -- and then failed to follow it.
Mistake 3 -- Overreacting. Even though security breach notifications must be sent promptly, there is always time to conduct an appropriate investigation to confirm the facts of the incident. You may discover what occurred isn't actually a breach at all. However, if you figure that out after you've already mailed notication letters to thousands of your customers, it's impossible to "unring the bell."
Mistake 4 -- Lack of clear communication between lawyers and IT personnel. Terms such as "breach" and "access" can have very different meanings when spoken by lawyers, IT personnel and company executives. Make sure that the members of your incident response team are speaking a common language.
Mistake 5 -- Forgetting that state security breach notification laws differ. If a breach involves patients from multiple states, you must quickly determine which of the states have security breach notification laws, and identify the unique requirements of those laws. For example, the laws of states such as New Jersey, New York and North Carolina require that specific state agencies receive notification of a breach.
I'll cover the other five common security incident response mistakes in my next posting.