What to do if a data breach happens to you

After a malware incident in 2014, Anchorage Community Mental Health Services (ACMHS) in Alaska paid a $150,000 fine and adopted a corrective action plan to improve the security of its technology resources. The Department of Health and Human Services Office for Civil Rights (OCR) said the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating its IT resources with available patches and running outdated, unsupported software.

ACMHS is far from alone. 

OCR keeps a running tally online of healthcare organizations that have suffered breaches of protected health information (PHI) affecting 500 or more individuals. Known informally as the “wall of shame,” the list contains hundreds of examples of lost laptops, thefts, hacking incidents and unauthorized disclosures. 

Most behavioral providers are small organizations without significant resources to devote to information security. The person who functions as the compliance officer might wear several other hats in the organization as well, and the providers might depend on a small internal or external IT service organizations to oversee security. Behavioral Healthcare asked experts with experience helping provider organizations improve their privacy and security posture for their recommendations for how to be more proactive about safeguarding their PHI and what to do if they have a breach.

1. Inventory your data 

First, it is crucial for small and mid-sized organizations to know what data they have, where it is, and how it is being accessed, says George Bailey, senior advisor for security for Purdue Healthcare Advisors in West Lafayette, Ind. If you don’t know where all your data is, you won’t be sure a breach is completely contained once it happens. Plus, the security controls to put in place will be different when data is regularly accessed, for example, on a laptop vs. a fixed workstation.

2. Complete a risk assessment

Doing a thorough risk assessment is a cornerstone of HIPAA compliance, Bailey says. You’ll want to determine how important backup and business continuity might be, based on your inventory of assets and data.

“You may know you need to have a backup plan, but is it a top 10 priority? A risk assessment will help identify and prioritize some of the remediation efforts,” he says.  

Another option becoming more popular with smaller organizations that don’t have a lot of resources is working with a cyberinsurance company, says Rich Kam, president of ID Experts, a Portland, Ore.-based company that provides IT security software and services. Just applying for the insurance can lead the providers through a risk assessment. 

“The insurers put tools online for doing risk assessments,” he says. “A questionnaire will walk providers through issues around employee training and updating firewalls.” 

3. Make sure training is uniform

Many breaches involve “phishing” incidents, in which an employee is tricked into clicking on a malicious attachment that looks harmless but ultimately compromises security. Only continual training and reminders can prevent that, the experts say. But healthcare providers focused on their patients often don’t think about security training, authentication and access control, Bailey says. He adds that some organizations have certain standards for clinicians and others for administrative employees when it comes to security awareness, onboarding and training. Leaders might assume the clinicians understand that they have to be good stewards of the data, and it is common to skimp on refresher training, he says. 

“But those physicians may not understand how to use antivirus software or fundamental things about how to keep data safe,” Bailey adds. “They are a weak point in the security.”

If it happens to you 

So what should you do if your organization experiences a breach? Obviously, it depends on circumstances: whether it is a lost or stolen laptop, a malicious hacking event, or even a misplaced paper file. But if you look at the wall of shame on the OCR website, the majority of breaches involve smaller organizations and there are trends among them, says Sarah Badahman, CEO of St. Louis-based HIPAAtrek, a HIPAA compliance organization. 

“A lot of them are losing laptops or other devices that have PHI on them,” she says. 

Loss is an easy thing to correct, however. It all comes down to education: Don’t leave laptops in cars or other locations where are they are easy targets for thieves. Another simple solution for security: When traveling, don’t access unknown networks. 

“Don’t sit in a Starbucks and access patient information—those are unsecure networks,” Badahman says. “Organizations are doing compliance 101 training when they should be creating robust policies and procedures and doing training on those. The issue comes down to viewing compliance as a checkbox vs. compliance as a culture.” 

Because so many breaches involve lost or stolen mobile devices these days, there is a stronger focus on encrypting data. Additionally, if a laptop is encrypted when lost and the encryption key is secure, it is said to have a “safe harbor” from government-required breach reporting. 

Previously, organizations would take the approach of trusting employees to be good stewards of the data, Bailey says. 

“But many now understand that they can’t take that risk,” he adds. “Encryption is not as difficult as it once was; it’s cheaper, and the computing resources are strong enough that it is transparent in most environments. The expectation is that you will encrypt.”

Obviously, taking corrective action can only happen if you know that you have experienced a breach. The most likely scenario in discovering an issue is that an employee will realize a laptop was stolen from somewhere outside the office.

“That happens a lot, unfortunately,” Kam says. “Another variation is that a police officer will stop someone for speeding and find in the car a trunkful of [stolen] medical forms or reports from a clinic or hospital. The worst-case scenario is that law enforcement or the FBI is contacting you saying they have discovered your data being sold on the dark web. It is an awful day when that happens.” 

Healthcare organizations also are starting to become victims of “ransomware,” in which criminals hack into a system and encrypt an organization’s data until a ransom is paid in bitcoins—a type of digital currency. Hollywood Presbyterian Hospital in Los Angeles reported suffering a ransomware attack in February 2016 and paid the hackers $17,000 in bitcoins.  

When focusing on your network, Badahman says, there are several things to look for: 

• Unusual outbound traffic;

• Log-in red flags (such as an excessive number of failed attempts, logins from unusual geographic areas, changes in behavior for a privileged user);

• Large number of requests for a single file;

• Low network performance (can be a sign of denial of service attack); and 

• Unexpected patching of systems. 

Hackers typically take the road of least resistance, so it is important to monitor your systems continuously. Badahman, who previously worked as a privacy and security officer for a multispecialty clinic, recommends having a robust audit trail review process and setting up exception reports to notify the IT or security team of certain activity so it can be halted before there is a security incident. 

Notify patients

Providers have responsibilities to notify patients by law when a breach occurs. 

“One of the first things providers should do is reach out to internal or outside counsel to get a determination as to whether or not they have notification obligations based on the incident so far,” Kam says. 

Some states have stricter reporting requirements, but the federal data breach notification rule states that providers must notify affected individuals following the discovery of a breach of unsecured protected health information within 60 days. If the breach affects more than 500 residents of a state or jurisdiction, the provider organization also must notify the media and the OCR. 

“Where it gets fuzzy, unfortunately, is if a clinic has patients in two states because the state laws can be different,” Kam says.

There are financial penalties for security breakdowns, and breaches can be quite costly. The OCR can potentially fine organizations up to $1.5 million per incident per calendar year. There can also be criminal charges and fines levied if the breach meets certain criteria defined in HIPAA. The average cost is approximately $363 per record breached, according to a recent study by the Ponemon Institute. 

What kind of operation is most at risk? Most providers deal with some type of electronic information, even if they are not using a complete EHR, so even small providers are at risk. It’s a concern because the healthcare industry has historically taken a lax approach to security and health information is also highly valued on the black market, Badahman says. 

Whether they are looking for Social Security numbers, financial data or PHI, the crooks don’t know or care about your size, Kam says. 

“They are just looking for valuable data,” he says. “That can happen to large organizations such as Anthem, or Presbyterian Hospital, a much smaller organization.”

Purdue’s Bailey says that there are still a lot of breaches happening with paper records, too. 

“The industry is trying to move everybody to digital, and we still can’t keep track of paper,” he says. “Going digital it is not going to solve all their problems, but at least they will know where those records are.” 

David Raths is a Pennsylvania-based freelance writer.

Where the Breaches Are

Beazley, a provider of data breach response insurance, recently released its Beazley Breach Insights 2016 report based on more than 2,000 breaches in the past two years. Statistics are based on 777 incidents in 2014 and 1,249 in 2015. Here are some highlights:

• Breaches caused by either hacking or malware nearly doubled in relative frequency over the past year. In 2015, 32% of all incidents were caused by hacking or malware vs. 18% in 2014.
• Unintended disclosure of records – such as a misdirected e-mail – accounted for 24% of all breaches in 2015, which is down from 32% in 2014.
• The loss of non-electronic physical records accounted for 16% of all breaches in 2015, which is unchanged from 2014.
• The proportion of breaches involving third-party vendors more than tripled over the same period, rising from 6% of breaches in 2014 to 18% of breaches in 2015.