As a healthcare practitioner, you know how important it is to protect your clients’ information. Unfortunately, as the value of protected health information (PHI) increases on the black market, so do the number of data breaches. Do you know what you should do if it ever happens to your practice? Whether you’re a small or large practice, depend on an EMR or keep your practice confined to a smaller practice management system, you need to know the basics of what to do if a data breach occurs so you don’t make mistakes that could cause further damage and hefty fines.
Implement your Incident Response Plan
In a best-case scenario, you have a plan and previously trained employees to implement it ready to go. A good Incident Response Plan defines the roles and responsibilities employees will take on in case of a breach. It also involves regularly testing the plan and ensures that all aspects of the plan, including the hiring of outside help, are ready to activate.
If you have an Incident Response Plan, you know exactly what to do the minute a data breach occurs.
But what if you don’t have a plan?
Don’t panic and make mistakes
Maybe you’ve been planning to put together an Incident Response Plan but just haven’t gotten around to it. A data breach occurs, and you’re not prepared. It’s tempting to panic, but that’s when mistakes happen that could haunt you. According to Steve Youngman, Vice President of Hushmail’s Legal Department, the best thing to do is to “take a deep breath and try to approach the problem with a clear head. Contact a digital forensic investigator, law enforcement and your attorney. Be prepared to take notes through the entire process until the breach is contained, and be sure to preserve evidence. For example, don’t delete any files, and when you change passwords, be sure to keep a record of the old passwords for analysis.”
Call in a digital forensic investigator
Just like hiring an accountant to do your taxes, you can go through the steps of containing a breach on your own, but unless you have a background in cybersecurity, you might not feel very confident about the results. An investigator will figure out how and when the breach occurred and give recommendations for preventing future breaches. Getting a professional to look over your online security procedures is never a bad thing. Once the breach is contained and the dust has settled, you may well consider it the silver lining of the ordeal.
Contain the breach ASAP
Even if you called in a forensic investigator, do the following before they arrive:
- Disconnect all devices from the Internet by unplugging from your firewall(s) or router(s) until the location of the breach has been determined
- Disable (but don’t delete) any remote access and wireless access points
- Change all account passwords, including for any accounts used to manage your practice, and disable (don’t delete) accounts that aren’t critical
- Switch to your backup secure form of communication that you hopefully included in your Incident Response Plan
Document the breach and containment from beginning to end
As mentioned earlier, in the aftermath of a breach it’s crucial to document everything from start to finish. Although this might seem time-consuming and easy to skip over if you’re in panic mode – don’t. You want a record of everything that’s happened so you can accurately inform your clients, which is required by the HIPAA Breach Notification Rule, and notify the Department of Health and Humans Services (HHS).
Here are some of the things you’ll want to document:
- How you found out about the breach, including the date and time you were notified
- What the notification said
- All actions from the point of notification until the end of the incident
- The date and time you disconnected your systems from the Internet and disabled remote access
- When you changed passwords
- All other steps taken
Inform your clients and HHS of the data breach
The HIPAA Breach Notification Rule requires you to notify all affected clients by mail or email, no later than 60 days after the breach occurred. However, be aware that state law may require you to notify them sooner so check with your local jurisdiction.
If you’re unable to notify 10 or more individuals because their information is out-of-date or insufficient, or if more than 500 residents of a state or jurisdiction have been affected, post the notification on your website for at least 90 days and provide notice in major media outlets in the affected area. It’s best to consult with your attorney when preparing your public statement..
If more than 500 individuals were affected you will also need to notify HHS within 60 days. If the breach affected fewer than 500, you can inform HHS as part of your annual filing.
For more information about what to do in case of a data breach, review the Federal Trade Commission’s guide for all businesses, not just healthcare: Data Breach Response: A Guide for Business
Make sure a data breach doesn’t happen again
Hopefully, you never experience a data breach. But if you do, you can put everything you learned during the breach to good use and make sure you never have another one.
- If you didn’t have an Incident Response Plan the first time around, create one now. This article from HealthcareITNews explains the basics of creating a plan: 7 best practices for a successful incident response plan
- Schedule an annual risk analysis and conduct ongoing risk management
- If you aren’t already using Hushmail’s encrypted email and web forms as your primary method of communicating with your clients, consider signing up today. Hushmail can also serve as your emergency backup account that you can quickly switch to if a breach occurs. Contact Customer Care if you’d like to learn about using Hushmail as both your primary and backup accounts.