Skip to content Skip to navigation

Don’t Get Stranded without a Data Security Action Plan

August 26, 2016
by Mark Shelhart, Sikich LLP
| Reprints

The cybersecurity challenges that face healthcare providers can seem staggering. Last year, the industry accounted for nearly 70 percent of all records exposed in data breaches, according to the Identity Theft Resource Center, and protected health information breaches impacted more than 113 million individuals, according to the Office for Civil Rights (OCR). Further, with health records increasing in value (surpassing credit card data) for criminals, hacking continues to rise.

Some institutions will report that they are “mostly secure.” And while awareness of threats has increased in the healthcare sector, many providers remain behind the curve on cybersecurity and lack the ability to prevent even common intrusions. Compounding the challenge for providers, state governments have responded to cyberattacks with increased scrutiny. Ever-changing laws dictate what actions a provider must take to both alert patients affected by a breach and offer remediation. Many of these amended laws expand the reach of current notification requirements, add to the definition of “personal information” and increase reporting requirements to state attorneys general.

For example, North Dakota modified its notification law to require any organization that “owns” or “licenses” state residents’ data that includes “personal information” to report the breach to the attorney general if it impacts more than 250 people. This applies even if the organization isn’t based in the state. North Dakota isn’t alone. Several other states, including Connecticut, Nevada, Oregon and Tennessee amended data breach notification laws in 2015 and 2016. And state attorneys general are making it clear that they want to be in the loop early when a breach occurs.

Mark Shelhart

Navigating this increasingly complex maze of requirements from different states while simultaneously combatting data breaches is not an easy task. That’s why it’s critical for healthcare providers to prepare a comprehensive data security action plan by following these five steps:

1. Benchmark to identify vulnerabilities—A risk assessment is a key first step to help a provider determine where the greatest risks are within the organization. This helps the leadership team then determine what security resources to deploy and where to focus attention.

2. Adopt a consistent security posture—Healthcare providers need to take a consistent security stance across their organizations. This includes thorough application and network penetration testing, vulnerability scanning and ongoing server monitoring and patching. A robust security testing regimen can help reduce vulnerabilities and protect providers’ most important and sensitive information.

3. Evaluate and manage third-party relationships—Hospitals have many vendors that handle everything from payments to data storage. These vital operational relationships can also be perilous if the vendor falls victim to a breach that compromises sensitive hospital and patient data. That’s why it’s crucial to make security a key consideration when selecting vendors and to scrutinize current third-party relationships. Healthcare providers must learn what vendors are legally responsible for in the event of a breach and also do their best to evaluate vendors’ security practices. The bottom line is that all organizations should have a policy requiring their vendors to disclose any security incident.

4. Gain a full understanding of all state and federal regulations—With lawmakers passing new regulations related to breaches on a regular basis, providers need to ensure they have a grasp on their level of legal exposure in different states—well before a breach occurs. Trusted legal advisors, both internal and external, can play a key role in keeping providers up to speed on the latest regulations and should be an integral part of an incident response team.

5. Implement a communications strategy to protect your reputation—Providers also need a reputation management plan and a communications strategy to control their message and handle the flood of press inquiries after a breach. Planning ahead ensures the breached organization is equipped to comply with all relevant authorities and tell a clear and honest story to patients, the general public and the media. Breaches handled poorly can shatter reputations and lead to deteriorating trust. Organizations that invest in thoughtful communications and execute a well-grounded media relations strategy will set themselves up to preserve their reputation and regain their footing for future success.

Healthcare organization leaders should take immediate stock of their security stance. How secure is sensitive data? Is the organization ready to spring into action in case of a breach? With the healthcare industry in the crosshairs, and new laws putting added pressure on providers of all sizes, action can’t be delayed. The companies that adopt an ongoing commitment to security and implement a comprehensive action plan that addresses both pre-breach data security and post-breach reputation management can feel more confident in the face of today’s ever-evolving threats and regulations.