December 2016

Call In the Reinforcements
By Selena Chavis
For The Record
Vol. 28 No. 12 P. 10

With data breaches on the rise, health care organizations must have response teams at the ready.

Even as data breaches continue to surge, many health care organizations still lack the financial and staff resources to effectively manage the fallout from cyber crises, preventable mistakes, and other issues. These shortcomings, as detailed in the Ponemon Institute's Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, indicate there is plenty of room for improving data breach response across the health care industry.

Sara Goldstein, JD, general counsel for MRO, says the situation is likely to continue, adding that today's threats are complicated by ransomware and more sophisticated hacking strategies. "[Health care organizations] may have had a very solid breach prevention, breach response, incident response team that was effective and efficient in the past," she says, while noting the difficulty of keeping up with today's level of threats. "A program should be continually updated to make sure that it's in line with what is going on in the world."

The good news, according to the Ponemon study, is that health care organizations are making progress—71% have a process that leverages IT, information security, and compliance, up from 69% in 2015. Also, more than one-half say they have in-house expertise to respond to a data breach. However, the majority of those organizations believe they need more funding and resources to make the response effective.

On the business associate (BA) side, there's been an uptick in the deployment of breach-fighting tools, although not as large an increase as among health care organizations. While 64% say their organizations have a process built on IT, information security, and compliance, only 46% sport the in-house expertise to effectively respond.

It's true that progress is being made, but many industry experts point out that there is still a notable gap between effective and ineffective data breach response. Plus, few organizations can immediately detect and respond to data breaches, according to Jim Bowers, JD, senior counsel and director of compliance risk services with Day Pitney.

"The health industry is subjected to a plethora of data breaches, but this is common across most industries," he says. "Hacking is so sophisticated now that it may take months or perhaps years to find out someone has intruded on your information. It's an area where technology is trying to keep up … but companies don't have it down to a science where they can know immediately."

Eric Fader, JD, counsel in Day Pitney's health care practice, adds that once organizations detect a breach, investigations are not instantaneous. "First, you have to get your arms around where the information went, to whom it went, and whether it is likely to be further disseminated," he explains. "In some cases, upon investigation, you can stop the information that was initially considered a breach from getting further. Or, maybe there is no indication that it did get disseminated in a way that is potentially damaging."

It's a complex issue, one that health care organizations will likely continue to grapple with for the foreseeable future. Goldstein says increased scrutiny on the national level ups the ante on effective response strategies. "So, when it comes to HIPAA, the breaches involving more than 500 patients have usually received all the attention—and, in fact, almost all of the resolution agreements with the Office for Civil Rights [OCR] and the civil money penalties involved large breaches," she says, adding that OCR announced earlier this year that it's making a concerted effort to investigate and publicize breaches involving fewer than 500 patients. "In the future, we may be seeing resolution agreements related to breaches of maybe 10 or 20 patients' medical records. It's the little ones that matter, too."

Breach Response and Notification
Before initiating breach response activities, organizations must complete an internal investigation to determine whether the information is compromised, says Rita Bowen, MA, RHIA, CHPS, SSGB, vice president of privacy, compliance, and HIM policy for MRO. "They're going to want to validate that information and then apply that risk assessment to determine if this is low risk, medium risk, or high risk, and then they will notify the patient—or they should notify the patient," she says.

Julie A. Roth, MHSA, JD, RHIA, a partner with the law firm Lathrop & Gage, says whenever there has been the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the HIPAA privacy standards, a breach is presumed unless a covered entity can demonstrate a low probability that the PHI has been compromised. The proof must come in the form of a risk assessment that ascertains the following:

• the nature and extent of the PHI involved, including the types of identifiers and likelihood of identification;

• the person who used the PHI or to whom the disclosure was made;

• whether the PHI was acquired or viewed; and

• the extent to which the risk to the PHI has been mitigated.

"If a breach has occurred, a covered entity has a duty to notify the patient in writing of the breach without unreasonable delay, and no later than 60 calendar days after discovery of the breach," Roth says. "The written notification must include a variety of information such as a description of the breach and the types of PHI involved, what individuals can do to protect themselves, what the covered entity is doing to protect individuals and prevent future occurrences, and contact procedures for individuals to ask questions."

In cases involving more than 500 individuals, a covered entity also must notify the media about the breach. Further, OCR must be notified of all breaches.

"A covered entity's obligations do not stop with notification," Roth adds. "The covered entity should take steps to mitigate harm to the individuals, retrain staff, and address any weaknesses that led to the breach occurring."

Frank Siepmann, a senior cyber security advisor, explains that breach responses are security, legal, and business events. Effective response requires strategies for managing public perception and determining legal requirements from a regulatory and contractual perspective in terms of BA agreements. In addition, he suggests that security must work with stakeholders to ensure that the evolution of an investigation aligns with all parties involved.

Health care organizations also must be aware not to overlook state notification requirements that may be more onerous than those found in HIPAA. "I think that it can be confusing for organizations to understand what obligations they have under applicable federal and state laws regarding breach notification," Goldstein says. "So, in addition to HIPAA, the states have breach notification laws that have different requirements and must be fulfilled within different timelines. They also have different definitions of a breach, so what might not constitute a breach under HIPAA may constitute a breach under state law."

Identifying Poor Breach Management Practices
Siepmann points out that lackluster communication is a chief cause of botched breach responses. "Poor breach management can usually be identified by poor communication, usually resulting in missed deadlines, destroyed evidence, or other rookie mistakes," he says. "Communication is key after a breach."

Bowen notes covered entities never want to be in a position where they learn about a breach late in the game or from a patient. For instance, it's a major red flag if an organization receives notification from a BA of an event that occurred months prior. "That indicates to me that that the BA has a poor process for understanding, confirming, and providing me the information," she says.

Goldstein adds that BAs must be aware of where and how their data are being used. "It's a really bad sign if the patient is the first one to notify the covered entity and not the business associate," she says.

Bowers says industry data point to BA involvement in 30% of health care breaches. For this reason, he underscores the importance of closely managing and monitoring those relationships. In addition, he says the majority of breaches are related to malicious activity or employee negligence, opening the door to external litigation.

"You have to very quickly be able to assess whether a breach has occurred, get notification out, and plug the gaps," Bowers notes, adding that timely oversight and management position organizations well for what may hit them from the outside. Also, he points to the need for external expertise in pulling information together in a "forensic" manner. "We've seen situations where companies trying to plug the breach have destroyed evidence. You want to make sure that in correcting the leakage issue that you don't destroy evidence that might be crucial to litigation later on," Bowers says.

Fader agrees, adding that a plaintiff will likely file a case first and ask questions later. While there are no private rights of action under HIPAA, he explains that covered entities can be sued for such common-law or state-recognized causes of action as negligence or intentional infliction of emotional distress. "If you don't get your act together quickly, there are going to be all these other external pressures and people muddying the waters, which can easily distract from your core tasks," Fader says.

In terms of BA management, Goldstein recommends setting breach notification parameters in the contract. "Typically, a reasonable timeline would be five business days, but I've seen 40 hours and 72 hours required," she says, adding that auditing that activity over time can reveal issues that need to be addressed. "Work with the BA to make sure they are complying with what they agreed to in the BA agreement. There are a lot of vendors providing a program that would assess their compliance based on their answer to certain questions."

Practicing Breach Management
Breach management plans should be tested, just like their counterparts in business continuity and disaster recovery, Siepmann says. "There are different ways to practice. The easiest might be a table-top exercise. However, table-top exercises will not show many shortfalls," he says.

Bowen agrees, adding that health care organizations should have a security incident response team or data protection committee in place as a best practice. These groups are responsible for identifying potential risks as they pertain to real-world incidents and the "what ifs" of the same event occurring at their organization. "If you have a privacy security incident response team, you are basically then taking anything that's an abnormal event and going through a full root-cause analysis to determine that you have not missed anything," she says, adding that "health care organizations can no longer assume that the same situation will not happen to them."

Does It Ever End?
While there may be a defined point where response and notification procedures end based on legal advice, most experts agree that breach management is an ongoing process. "Legal or public relations activities might go way beyond the initial breach response," Siepmann says.

Goldstein acknowledges that applicable laws and regulations provide covered entities with a checklist of notification, information gathering, and reporting requirements. Once these tasks are complete, the incident becomes a learning opportunity for the organizations involved. "Any sort of incident, even if it was a close call … it should be incorporated into training for employees," she says, adding that organizations need to explore what can be done to minimize future risk. "You attend to what you have to do, but in terms of best practice, it really should be a lesson learned."

Bowen suggests conducting a root-cause analysis to find the true cause of the incident, breaking it down by asking the following questions:

• Is it an operational and policy-related issue that needs to be revised?
• Is it a lack of resources?
• Is it training?

Roth says that breach management is an ongoing process that does not end with notification. "Covered entities must learn from any breach incident and take steps to prevent future incidents from happening," she says. "These steps might include improving information security systems, providing additional HIPAA training, and implementing new policies and procedures."

— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.

BREACH MANAGEMENT: FIVE BASIC STEPS
Debi Primeau, MA, RHIA, FAHIMA, president of Primeau Consulting Group, says the following are measures any health care organization can employ to effectively manage data breaches: preparation, identification, response, recovery, and follow-up.

• The preparation phase is the process of establishing policies, processes, procedures, and agreements covering the management and response to security incidents, such as guidelines identifying levels and responses, auditing and logging, reporting guidelines, and resolution and follow-up.

• The identification phase is the process of detecting and reporting a potential security incident.

• The next step is the categorization of the incident and response. Health care organizations must identify the type of information breached and the type of event to categorize the incident and devise an appropriate response.

• In the recovery phase, the system and business process returns to full and normal operations. Actions include restoring and validating the system, deciding when to restore operations, and monitoring systems to verify normal operations without further system or data compromise.

• The follow-up phase involves fully documenting in the final incident report and disseminating the report to appropriate entities according to established policies; identifying lessons learned from the incident handling process, including the successful and unsuccessful actions taken in response to the incident; and developing recommendations to prevent future incidents and improve enterprise security implementation.

Following major incidents, response teams should hold lessons-learned meetings, which can help improve security measures and the incident handling process itself. The meetings should not be limited to the C-suite or the onsite incident response personnel—most valuable lessons are applied by system administrators and/or users.

— SC