Dealing With a Healthcare Data Breach:

A Step-by-Step Guide

The health industry routinely deals with some of the most sensitive data in the world. Healthcare professionals have a duty of care to ensure that information does not fall into the wrong hands. Unfortunately, as with any industry, a data breach is sometimes unavoidable. What matters is how you deal with one when it does happen.

When it comes to data breaches, it’s often more a question of ‘if’ than ‘when.’ With threat surfaces growing larger by the day and no end to the cybersecurity skills shortage in sight, our data has never been in more danger. And nowhere is that more troubling than in the health industry.

Healthcare professionals routinely deal with some of the most sensitive data in the world – Protected Health Information which includes everything from names and addresses to medical history and social security numbers. They must do everything in their power to keep that information safe. But what happens when they lose a step in that?

What happens when, in spite of its best efforts, a healthcare organization suffers a data breach?

As a health professional, your duty of care extends beyond protecting patient data. It also includes being accountable and transparent when that data is put at risk. Let’s talk about that.

Before The Breach: Make Sure You’re Ready For The Worst

At the end of the day, the only difference between a catastrophic breach and a manageable one is how prepared the victim was before it happened. Your first step in that regard is to establish total visibility and control over all PHI within your organization. First, make sure you familiarize yourself with all the cybersecurity requirements covered by HIPAA – access control, physical safeguards, and so on.

Visibility is also essential; you should be able to determine at a moment’s notice where each piece of PHI within your organization resides and how it is being used.

You’ll also want to encrypt data both at-rest and in motion. Although HIPAA doesn’t specifically mandate such measures, the Office for Civil Rights has gone on-record saying that encrypted health data is considered to be a ‘safe harbor.’ In other words, breaches that involve encrypted data don’t count as breaches under HIPAA.

Beyond that, you’ll want to implement strong policies that establish the following:

  • Acceptable use for devices which work with PHI – this should include strictures that PHI is not to be stored on laptops, desktops, removable media, or mobile devices.
  • A privacy policy which establishes how PHI is to be accessed, used, and stored
  • An incident response plan that establishes which employees are responsible for monitoring, discovery, investigation, and disclosure.

Determine What Happened

Your first step in investigating any data breach is to figure out both how the breach happened and what data was compromised. This is precisely the reason the safeguards and controls we discussed in the previous step are so critical. By knowing where every piece of PHI within your organization resides, you’ll be able to determine what data might be at-risk whenever unauthorized access occurs.

The moment you suspect something is amiss, assemble your response team and set them to work determining if a breach occurred, how large the breach might be, and what data might have been affected. Once you’ve identified which data has been compromised, preserve it as-is – you may need it if OCR opts to conduct an investigation.

Notify The Affected Parties

Your next step is to notify every patient who may potentially have been impacted by the breach. Maintain open communication with them at all times, and keep them continually apprised of any updates in your investigation. The more open and honest you are here, the better – if possible, it may even be worth your time to arrange an open helpline for anyone with questions about their data.

Disclose The Breach To The Public

If the data breach impacts 500 or more patients, your next step is to notify the public. Emphasize what your organization is doing to mitigate the damage and prevent the same thing from happening again. The sooner you’re able to do this, the better – the most damaging breaches are those in which the affected organization waits too long before disclosing what transpired.

Analyze What Can Be Done Differently In The Future

Last but certainly not least, once the dust has settled, you’ll want to meet with your team to evaluate both the breach and your response. Determine what could have been done to prevent it, and how your response can be improved for next time. Once you’ve established this, it may be worthwhile to send out one last email to all affected parties letting them know how you will keep their data safe in the future.

No organization wants to deal with a data breach, least of all a healthcare agency. Unfortunately, at one point or another, you may have to. Your best bet is to proceed with the assumption that a breach is inevitable, and that you must mitigate it however possible.

Because at the end of the day, the damage done by a breach is all about how well you prepared – and how well you handled yourself in the aftermath.

About The Author