Wednesday, May 4, 2011

Breach Fatigue

You've read about the Sony privacy breach, the Epsilon email compromise, and recent high profile privacy breach settlements.

Every day the headlines are filled with so many such security issues that it almost seems like background noise.   Just as too much decision support can result in alert fatigue and too many false alarms can result in alarm fatigue, the barrage of security breach news can lead to breach fatigue, causing you to let down your guard.   Forewarned is forearmed, so push aside your breach fatigue and plan for the day when you will have to run your own breach notification.   Here's a task list to guide you:

Immediate response actions
 Report to Police Department
 Notify Legal Counsel
 Notify Privacy Officer
 Notify CEO
 Notify Clinical and IT Leadership
 Notify Board of Directors
 Notify Liability Insurer
 Develop action plan

 Inventory unsecured data
 Draft Risk Assessment rules (what data in combination is reportable i.e. name + social security number)
 Finalize Risk Assessment rules
 Conduct Risk Assessment
 Complete Risk Assessment Report
 Complete Reporting Requirements Report

Regulatory Reporting and Notifications
 Define practice strategy/approach
 Initial communication with practices
  Draft notification to Media
  Oral notification to federal/state authorities including approval of notices
   Office of Civil Rights
   Attorney General
   Office of Consumer Affairs
 Practice approval of media notification
 Distribute notification to media
 Complete Practice specific spreadsheets
 Choose credit monitoring service
 Complete credit monitoring service contract
 Prepare Patient Notices

Practice related activities
Initial call
Follow-up visit scheduled
Practice packages complete
Practice packages delivered to practice
Re-identification visits scheduled  (to notify patients, you'll need addresses which may not be included in the actual data breached)
Re-identification complete
Patient notifications complete
Patient notifications sent
Attorney General reports filed
Office of Consumer Affairs reports filed
Office of Civil Rights reports filed

Prepare talking points for various channels
Staff a communication office (approximately 10% of notified patients will call)

Cross-Organizational Review of processes and procedures which led to the breach
Remediation of root causes
Security policy updates as needed
Laptop encryption as needed
Additional training as needed

Follow the advice of your privacy officer and your legal counsel completely.   Be transparent.   Over communicate.   Use the event as a teachable moment for your organization and your community.  Be humble and apologize.   Protect the patients and the providers.

As we continue the journey toward automation of electronic records to enhance safety and quality, we must retain the trust of our patients.   Following the plan above will go far to address those events that occur as we all learn how to be better protectors of the data we host.


Keith W. Boone said...


Many of these activities can be prepared for in advance. The most obvious being not to wait for a breach to occur before encrypting laptops ;-)

Developing a plan to address what will be done if a breach should occur will highlight many of risks to an organization that might otherwise be missed.

It might even be worthwhile to conduct a "breach drill".

Ed Larkin said...

It's important to have a comprehensive Cyber Liability insurance policy from a trusted carrier.