Can an organizational restructuring have a big impact on data breach containment? Meredith Phillips, chief privacy officer of four-hospital Henry Ford Health System (HFHS) in Michigan, says yes.
Several years ago, HFHS realized it had made a common error by splitting the responsibilities for patient privacy and computer security between two organizations. (Privacy was a subset of corporate compliance, while security was located in information technology.) Competing priorities, a decentralized approach and lean resources diminished the focus of both, Phillips said in a recent webinar presentation sponsored by AHA Solutions and ID Experts.
The first step toward a more nimble response to data breaches was the establishment of a new Information Privacy Office (IPO) with an expanded scope to include all confidential data. “We realize we have to protect employment and financial data as well as patient data,” Phillips said. The IPO and the Information Security Office now both report to CIO Mary Alice Annecharico. “It is critical for privacy and security to report to the same leader,” Phillips said.
Rather than individuals at separate facilities managing privacy, the new centralized IPO structure ensures consistency and allows the organization to respond more rapidly to new regulations.
In the new configuration, Phillips convened a workgroup to create an incident response plan. They reviewed HITECH regulations and conducted research with other organizations to determine how to address the “risk of harm” standard that defines when patients must be notified of a breach.
Incident response plan test
HFHS had a chance to test its response in September 2010 when a laptop that contained information on approximately 4,000 patients was stolen.
“The laptop was unencrypted and the physical security of the office was compromised due to an open door,” Phillips said. HFHS staff members created an internal call center to contact all patients potentially impacted. It took 56 days, which HFHS determined was unsatisfactory. “The 56-day response time was outside of our service standards,” she added, “and proved to me our response plan was flawed.” Having HFHS assume responsibility for the entire breach response lifecycle extended the response time. HFHS turned to an outside firm, ID Experts, to help with future responses, and set a goal to have responses completed within four weeks, including working with the offending department on training and mitigation.
She said another realization was that their communication of the incident response plan failed due to a lack of branding and continuous reinforcement. “The work force didn’t understand the urgency during the assessment phase due to a flawed communication and education plan,” Phillips noted. “Too many employees had an attitude that it is somebody else’s job,” she said. “They would think, ‘Compliance is going to handle that.’”
Breach Response 2.0
Working with ID Experts, HFHS crafted a new approach to breach response. Under the name “Code B Alert,” they created a rapid response team that would be activated whenever HFHS has a breach.
The team, led by the chief privacy officer and chief information security officer, includes representation from legal, public relations, human resources, risk management, and business unit leaders. The Code B Alert program includes internal communication to the work force and external communication to the media, patients and the HHS Office for Civil Rights.
In 2011, HFHS got a chance to test the new system when an employee lost a Flash drive in a McDonald’s parking lot. Data on 3,000 patients was involved. Using the Code B Alert system, HFHS was able to take the 56-day response time down to 18 days. “We thought that was remarkable,” Phillips said. “But even though the response time was decreased and the communication plan was effective, we found another concern: portable storage devices.”
This led to the creation of an “iComply Program,” which required all employees to visit one of 20 “IT-staffed” stations to turn in all personal flash drives for an approved IronKey encrypted solution. Approximately 5,000 Flash drives were collected within a four-week period.
New issues, such as how to deal with social media and iPad use, crop up all the time, Phillips said. “Our task as we move forward will be to create synergy between our privacy and security departments to reinforce our culture of confidentiality.”