Every day the headlines are filled with so many such security issues that it almost seems like background noise. Just as too much decision support can result in alert fatigue and too many false alarms can result in alarm fatigue, the barrage of security breach news can lead to breach fatigue, causing you to let down your guard. Forewarned is forearmed, so push aside your breach fatigue and plan for the day when you will have to run your own breach notification. Here's a task list to guide you:
Immediate response actions
Report to Police Department
Notify Legal Counsel
Notify Privacy Officer
Notify CEO
Notify Clinical and IT Leadership
Notify Board of Directors
Notify Liability Insurer
Develop action plan
Analysis
Inventory unsecured data
Draft Risk Assessment rules (what data in combination is reportable i.e. name + social security number)
Finalize Risk Assessment rules
Conduct Risk Assessment
Complete Risk Assessment Report
Complete Reporting Requirements Report
Regulatory Reporting and Notifications
Define practice strategy/approach
Initial communication with practices
Notifications
Draft notification to Media
Oral notification to federal/state authorities including approval of notices
Office of Civil Rights
Attorney General
Office of Consumer Affairs
Practice approval of media notification
Distribute notification to media
Complete Practice specific spreadsheets
Choose credit monitoring service
Complete credit monitoring service contract
Prepare Patient Notices
Practice related activities
Initial call
Follow-up visit scheduled
Practice packages complete
Practice packages delivered to practice
Re-identification visits scheduled (to notify patients, you'll need addresses which may not be included in the actual data breached)
Re-identification complete
Patient notifications complete
Patient notifications sent
Attorney General reports filed
Office of Consumer Affairs reports filed
Office of Civil Rights reports filed
Communications
Prepare talking points for various channels
Staff a communication office (approximately 10% of notified patients will call)
Remediation
Cross-Organizational Review of processes and procedures which led to the breach
Remediation of root causes
Security policy updates as needed
Laptop encryption as needed
Additional training as needed
Follow the advice of your privacy officer and your legal counsel completely. Be transparent. Over communicate. Use the event as a teachable moment for your organization and your community. Be humble and apologize. Protect the patients and the providers.
As we continue the journey toward automation of electronic records to enhance safety and quality, we must retain the trust of our patients. Following the plan above will go far to address those events that occur as we all learn how to be better protectors of the data we host.
John,
ReplyDeleteMany of these activities can be prepared for in advance. The most obvious being not to wait for a breach to occur before encrypting laptops ;-)
Developing a plan to address what will be done if a breach should occur will highlight many of risks to an organization that might otherwise be missed.
It might even be worthwhile to conduct a "breach drill".
It's important to have a comprehensive Cyber Liability insurance policy from a trusted carrier.
ReplyDelete