3 Tips for Improving Breach ResponseExpert Offers Pointers for HIPAA Compliance
Breaches can happen even when there are strong protections in place. But healthcare organizations can do more to prepare for breaches and respond in the best possible way to protect patient information.
Here are three tips to avoid common pitfalls in healthcare incident response programs.
1. Define Incidents Broadly
HIPAA and state laws require organizations to recognize and properly respond to events that put certain personally identifiable information at risk. Most states today require notification when data that could be used for identity theft is breached. Hence, "incidents" must include negative events affecting a variety of legally protected data, not limited to protected health information, or PHI. For your organization's sake, you should include internal confidential and proprietary data as well.
"Incidents" can include such data in any form, including written, spoken and electronic. Some organizations mistakenly consider security incidents only in technical terms, relating to computers and networks. While incidents and breaches often involve malicious attackers and malware, that's only part of the story.
Both HIPAA's privacy rule and its security rule require incident response and mitigation. Therefore, "incidents" must include both privacy and security events. However, there is considerable overlap between privacy and security incidents, with most, if not all, privacy incidents also being security incidents. It is counterproductive to attempt to segregate privacy and security incidents, and, in fact, the HIPAA breach notification rule does not distinguish between them.
2. Teach Workforce to Report Incidents
Training is a critical component of privacy and security programs. Without it, the best policies and technologies can only go so far. Building on your broad definition of "incidents," ensure your documented workforce training content includes not only the definition but a wide range of examples. It is essential to convey to your staff the full scope of this requirement and the organization's expectations. Also, use current news stories on breaches to inform your workforce. Explain these incidents and discuss whether and how they could happen in your organization, as well as what individuals can do to prevent such breaches.
Training content must also include how to report incidents within the organization; the process should be easy and unambiguous. Here again, the workforce should not need to categorize an incident as involving either privacy or security issues to determine how to report it; most incidents will be both. Yet many organizations require security incidents be reported to IT and privacy incidents to the privacy or compliance officer, or compliance tracking system.
Since the information security officer and the privacy officer should be acting as a team in responding to incidents, it makes sense to have a single reporting stream. In addition, the workforce should not be expected to make the breach determination; that is the responsibility of the information security and privacy officers because it requires expertise in the regulations.
Be sure your training content reinforces the requirement to report all incidents promptly, even if an incident is only suspected. Each organization's information security officer and privacy officer should determine the time limit - such as "the same day" or "within 24 hours" or "within one business day" - and include it in training content.
3. Make Incident Response Plan Comprehensive
Ensure that the scope of your organization's plan is comprehensive, including all incidents, both privacy and security.
Keep in mind that an organization's incident response plan is intended to be a clear guide to actions, particularly during a crisis. A plan that simply states high level commitments to satisfy HIPAA or state regulations is not a real plan. Think of the plan as a cookbook with necessary ingredients and logical steps to follow. Unfortunately, this cookbook will have guidelines instead of precise measures, but a good plan will take an organization to a successful outcome.
The ingredients may include factors to consider in triaging an incident, questions to ask as part of the investigation, and state and federal legal requirements regarding notifications. The latter can be embedded in the plan or provided via direct links to actual regulation details such as at www.eCFR.gov.
The recipe should include, for example: triaging incidents based on criticality; convening primary and secondary response teams; determining if an incident falls under one or more state laws and/or HIPAA; if the incident involves PHI, determining violations versus breaches; mitigation actions depending on the type of incident; carrying out notification steps; and wrapping up.
Following HIPAA violations and breaches, take time to evaluate the effectiveness of your plan, as well as the training of your workforce and your response teams. Update the plan and training as needed.
Borten is president and founder of the security and privacy consulting firm, The Marblehead Group.