June/July 2019
Breach Preparedness Know-How
By Maura Keller
For The Record
Vol. 31 No. 6 P. 22
Hospitals with a well-rehearsed, well-coordinated plan in place have the best chance to limit the damage.
Gone are the days when health care organizations stored valuable patient information on disorganized stacks of floppy disks in dusty back corners of offices. Today, hospitals are using easily accessible and managed data storage systems that deliver universal connectivity in a networked environment.
But as hospitals experience a prolific gain in data, they are reexamining their security processes with a single goal in mind: to streamline the security of their information management and enhance their breach preparedness.
According to Jamie Singer, senior vice president at Edelman, establishing a breach response process is vital for hospitals because as the cyber threat landscape continues to evolve, it’s no longer a matter of if, but when hospitals are likely to face a data security event. In fact, according to the 2018 Ponemon Report, the average global possibility of a breach in the next 24 months is 27.9%.
“For hospitals, with PHI [protected health information] and PII [personally identifiable information] on the line, it is imperative that they are prepared to respond to these potential issues,” she says. “However, according to a recent Brunswick Insight/Abbott Cybersecurity survey, 75% of physicians and 62% of hospital administrators feel inadequately trained or prepared to mitigate cyber risks that may impact their hospital.”
Singer says that establishing a clearly articulated breach response process in advance of an actual issue—including defining the composition of the incident response team, outlining roles and responsibilities, documenting internal and external response protocols, and planning for top data security and privacy risk areas—is critical for enabling hospitals to respond quickly and effectively to a live issue.
According to Steve Staden, CISSP, senior vice president of products at Wind River Financial, as health care moves to a digital presence, more data are being collected, a development that has created opportunity for malicious activity against those stores of data.
“Everybody thinks they have controls in place, but over one-half of incidents are caused by internal users who were just going about their day job,” Staden says. “The robots have not taken over yet, so we still need to make secure environments and provide awareness, as security is constantly changing.”
Detecting Breaches
Upon the initial detection of a possible data security incident, Singer says hospitals should notify and engage critical partners such as their cyber insurer, outside cyber counsel, and external forensics to help understand the scope of the issue and any potential notification requirements.
“Those entities will then typically help hospitals to engage an external crisis communications firm and vendors such as an external call center or mailing house to help manage patient notification,” she says.
Paramount to a breach is to determine the cause and immediately stop or isolate it. “For example, [if] you see a large amount of data going out of the organization through your network, you will want to immediately block that computer and remove it from the network so it’s not affecting other computers,” Staden says. The team needs to ensure the issue is resolved before moving to investigating the root cause of the issue, which may require a deeper forensics review, he adds.
“After the root cause is determined, hospitals are required to complete a risk and impact analysis, which will ultimately determine the appropriate level of notification based on the data breach,” Staden says.
In terms of an external response, it is important for legal/regulatory and communications strategies to be in lockstep from the outset. “Hospitals should balance the desire to communicate quickly and transparently with being careful in communicating publicly or broadly when facts are still being gathered and IT systems may not yet be remediated,” Singer says.
At the same time, hospitals should prepare a reactive holding statement to be used in the event of a public leak through a media inquiry or social media speculation. As Singer explains, best practice suggests this statement should focus on highlighting that the hospital is investigating a potential issue, communicating the steps it’s taking to investigate and address the issue, and reiterating a commitment to the security and privacy of patient/employee information.
How long after the initial detection of a breach should the public be notified? Often, state, federal, and international legal/regulatory requirements are based on the type of information affected, the number of individuals impacted, and the markets where those individuals live; these factors will inform decisions on public notification timing.
“Typically, when PHI is involved, HIPAA requires patient notification within 60 days of determining that a breach occurred,” Singer says, noting that this is where it is important for the legal and regulatory strategy and communications approach to be aligned.
Depending on the severity of the breach, a hospital will need to notify media outlets within 60 days following the discovery. “Also, note that you will need to provide proof that you sent the notifications to the correct parties. Be prepared to demonstrate that information,” Staden says.
While it is important to communicate in a timely manner in order to ensure long-term patient trust, hospitals must be in a position to communicate facts that are unlikely to change, the support it is providing to impacted patients, and assurance that IT systems are remediated.
“In data security incidents, facts can be fluid, so rushing public statements can potentially result in negative outcomes for hospitals—such as disseminating inaccurate information, potentially compromising more data and damaging the hospital’s reputation further by breaking trust again,” Singer says. “It is a balancing act to communicate quickly and communicating accurately.”
Communications should reflect how hospitals are demonstrating accountability and a bias toward action—what the hospital is doing to address the issue in the immediate term, how it is going to protect against future data security issues, and how it’s supporting impacted individuals (eg, offering identity theft protection and/or credit monitoring services).
Theresa Meadows, MS, RN, CHCIO, FHIMSS, senior vice president and CIO for Cook Children’s Health Care System, leads a team of 200 members covering areas such as infrastructure, applications, telecommunications, and program management. Her team supports 140 project initiatives that include deploying business intelligence, advanced clinical systems, and enterprise resource management.
Meadows says it’s important to note that most hospitals’ emergency management structures account for much of the structure that is needed when an incident occurs. This includes a command center structure to manage the incident.
“Role definition for all those involved as well as appropriate communication channels is a must,” she says. “Each role would be defined as part of the process.” For example, public relations would be responsible for communications with media and patients regarding the incident. The chief information security officer (CISO), who may be the incident commander, directs the technical teams through the recovery process, and clinical operations ensures patient care can continue safely.
Lee Barrett, executive director and CEO of the Electronic Healthcare Network Accreditation Commission, says consumers expect hospitals to be transparent when revealing their actions and describing the severity of the breach’s damage.
This makes it imperative to implement the communications plan as expeditiously as possible. Recommended actions include creating a website or portal where patients can visit for the latest information. “A hotline where people can go to find out the latest information and actions is another means of communications to answer questions and concerns,” Barrett says. “Always test and ensure that the hotline and portal can handle the impending volume of ‘hits’ that will occur. There’s nothing worse than further frustrating or angering patients when they can’t get into a site or get their questions answered in a timely manner.”
In addition to communicating directly with patients and posting information on the website, hospitals must also properly equip employees—leadership, managers, patient relations staff, internal call centers, and event front-line reception employees—on how to navigate and respond to patient questions and concerns.
“Communicating with ‘one voice’ is key for hospitals to control a consistent message,” Singer says. “Regular monitoring of traditional media and social media channels is important for tracking patient/stakeholder sentiment and calibrating communications strategies accordingly.”
Barrett says the key to breach preparedness is to be as proactive as possible. Many cyberattacks are not detected for months and only after an external audit is conducted and the breach has already occurred—which is too late.
“There should be various response scenarios developed based upon the risk vector and scope,” he says. “Each scenario should be defined with roles, responsibilities, actions, timelines, and deliverables clearly defined. All scenarios identified as part of the response plan need to be practiced and reviewed, and any deficiencies noted corrected and repracticed. And nothing should ever be taken for granted.”
Facing Challenges
One challenge for hospitals is ensuring their breach response process encompasses perspectives and input from a range of critical functions within the organization. “Frequently, hospital breach response plans will contain operational or IT-focused resolution guidance and steps but leave out important communications considerations, protocols, and messaging to inform both the internal and external response to a live incident,” Singer says. “Another challenge is, often, hospitals may have an established incident response process documented, but it is not properly socialized across the organization. Incident response plans that aren’t regularly tested will wind up sitting on a shelf and collecting dust.”
Staden says one of the biggest challenges of establishing a breach response process is prioritizing the work. “Security budget and resourcing is tight across all industries,” he says. “However, it’s amazing how much budget and resourcing becomes available after a security event takes place.”
Beyond getting buy-in from the C-level, it’s a matter of working through a well-coordinated plan with key stakeholders. The plan needs to be led by someone who can work effectively across the organization. Then the plan needs to be completed. “All too often, the response provided is the effort is ‘in progress but hasn’t been completed,’” Staden says.
It’s essential for incident response team members, as well as their back-ups, to participate in regular crisis trainings, simulations, and tabletop exercises that test use of the incident response plan and help to identify any potential gaps.
Identifying who sits on a hospital’s incident response team is a critical step to establishing a best-in-class breach response plan. Singer recommends forming a core team that reflects key functional areas that are critical in the response process, but also small and nimble enough to actually be able to make critical decisions quickly in a crisis.
Arthur Young, president and founder of Interbit Data, says breach incidents, especially cyberattacks, require an integrated hospitalwide response in order to minimize panic, confusion, and miscommunication.
“Every hospital is organized somewhat differently, but there are some common team members beyond just the IT team who identify, respond, and remediate breaches,” he says. “This includes leadership from nursing to know what information is needed to manage patient care, admissions to know how to process patients, pharmacy to manage medications, lab, imaging, ambulatory, and other functions that are dependent on information continuity.”
Critical functions on core incident response teams include IT (eg, CIO/CISO), privacy, legal/compliance, and communications.
“Within this core group, it is important to identify a clear decision-maker/incident response lead. Often, organizations will position legal in this role given the regulatory requirements and legal considerations associated with data security and privacy issues,” Singer says.
Beyond this core group, experts recommend identifying extended team members and subject matter experts—such as patient relations and human resources—who may need to be engaged depending on the specific nature and scope of the issue.
In addition, establishing key external partners such as outside cyber counsel, a forensics firm, and a crisis communications partner is critical to an effective incident response effort. Finally, beyond clearly defining specific roles and responsibilities for team members, hospitals should also identify back-ups for core team members in case they are not available when a live issue erupts.
Susan Villaquiral, CISO at Fundacion Valle del Lili in Colombia, says hospitals need to complete the following distinct tasks:
• Build a technical team. Finding cybersecurity engineers specialized in incident response is all but impossible in the health care sector, Villaquiral says. “My advice? Build and develop the knowledge of your own engineers,” she says.
• Educate end users. End users are an important part of the cybersecurity process—not only in terms of avoiding incidents but also knowing what to do and whom to notify should a breach occur.
• Identify all affected stakeholders. Compiling a list of all stakeholders related to and/or affected by an incident is difficult, even more so when time is of the essence.
• Be aware of what the law demands. In addition to complying with well-known laws, hospitals must also be cognizant of contracts with third parties that must be notified when an incident occurs.
Ongoing Training and Strategies
Singer says effective breach preparedness is about building “muscle memory.” Organize regular training and simulation exercises, test existing incident response processes and protocols, and identify any gaps that need to be closed in advance of a live issue.
“Best-in-class simulations involve multiple escalations that reflect the types of inflection points hospitals could expect in a real data security crisis such as media inquiries and news coverage, social media conversation, patient inquiries, regulator inquiries, elected official involvement, etc,” Singer says.
Villaquiral recommends hospitals utilize simulations to help predict the technical team’s response times as well as to pinpoint vulnerabilities.
“In our hospital, twice a year, we use this type of test that not only includes a data breach but also the unavailability of the data,” Villaquiral says. “This helps us to see that the contingency plans of the areas work as expected and the attention to the patients doesn’t get affected.”
In addition to the core incident response team, experts recommend hospitals engage their external partners in these exercises.
“Conducting regular exercises like these, at least annually, is critical for enhancing preparedness—especially given potential internal turnover and transitions on hospitals’ internal incident response teams,” Singer says.
The Aftermath
The messaging being conveyed before, during, and after a breach should be a priority. After a breach has occurred, hospitals shouldn’t pay lip service to the incident with trite remarks such as, “We have a safer system and this is not going to happen again.”
“Instead, if the law permits it, keep confidential the communications sent to the users affected by the incident and build communication for the patients and the insurance companies that explain in detail the situation and all the actions that you have implemented to avoid another incident,” Villaquiral says. “Working with government agencies also can help to support the recovery of the reputation. However, only in time will stakeholders learn to trust their information with you again.”
— Maura Keller is a Minneapolis-based writer and editor.