CAMBRIDGE, Mass. -- When a data breach happens and the healthcare organization hasn't thought through its internal response plan, many bad things can happen. First, the people involved write internal emails throwing each other under the bus and assigning blame -- and the emails then become a revealing part of the record for attorneys and federal investigators to sift through later.
Then, in a vacuum, managing the media response falls to whom? Marketing? Media relations? IT staff? What will come out of their mouths to the local television, newspaper, radio and Internet reporters? The worst-case scenario is when CEOs take matters into their own hands and call a press conference -- unprepared, perhaps unintentionally making factual errors or public promises the hospital can't keep regarding future data breaches -- or revealing evidence that later turns into pronouncements of willful neglect.
Rest assured, data breaches will happen where you work, according to speakers at the PHI Protection Network's Forum 2013. Mitigating what happens after a data breach is a crucial operation that few providers are prepared for. Some of the above scenarios actually happened in the aftermath of real-life data breaches, and they point to the necessity of a crisis manager who becomes the point person for all aspects of a data breach response, such as coordinating documentation and dealing with the media. And most importantly, telling people to stop talking about the breach and let hospital leadership minimize damage to the patients involved, the hospital's reputation and its bottom line.
"When you have a live one happening," said Meredith Phillips, chief privacy and information security officer at Detroit's Henry Ford Health System, "it really takes on a life of its own. You have people emailing willy-nilly and you have to tell them to stop. You have executives that want to take control of it, and they believe they know how to respond -- they want to talk to the press, they want to talk to the patients, they want to smooth it over. And you have me on the other end saying 'Please, just let it be, let me handle it.'"
Letting her handle it has become Henry Ford's policy now, Phillips said. She detailed the story of the health system's top-to-bottom patient privacy and data security revamp that took place after it experienced three media-reportable data breaches in a span of nine months -- and none since that.
Role-play in tabletop exercises
Henry Ford learned what many hospitals across the country are learning the hard way: There must be a point person, one who is in place before the breach happens and who knows what to do. "In dealing with your instant-response plan, you should designate and train someone on crisis management," said attorney Chris Cwalina, partner at Holland and Knight. "That's a unique skill set, dealing with press, customers, consumers who aren't necessarily customers, and regulators. You need somebody in-house that's trained up on how to deal with that."
To figure out just how employees would respond in the case of a data breach, start with tabletop role-playing exercises and develop response plans from them. When a data breach occurs, Cwalina said, "it becomes tricky" for hospital staff to maintain their composure under stress. This happens especially in the wake of breaches where low-level employees -- who typically endure a lot of job performance pressure to begin with -- cut corners or make unintentional mistakes.
That's a unique skill set, dealing with press, customers, consumers and regulators. You need somebody in-house that's trained up on how to deal with that.
Holland and Knight
Depending on company culture, the tabletop exercises could be elaborate, or they could be simpler "What would we do?" discussions with different scenarios batted about. The important part is that they test the response. And when it's retested in another tabletop exercise, the response will be smoother and help shore up the liabilities the initial exercises uncovered.
What perils might a hospital encounter if it doesn't do data breach drills? Attorney James Pyles, principal at Powers, Pyles, Sutter & Verville, said one of his firm's cases kicked off when a local reporter sought comment on a data breach that had occurred before the hospital found out it had taken place. Without a point person and response plan in place, the hospital "was just constantly responding" in an unorganized way to media outlets, the HHS Office of Civil Rights, and finally the state's attorney general, he said.
"It can be absolutely chaotic," said Pyles, who reminded the forum's attendees that everything employees say to the media becomes part of the record that investigators will review later. Having those statements vetted by in-house or external counsel is a good idea. "It is so important to have a crisis manager in a case like that, to have one person who is consistently communicating with the press, so you don't get trapped or locked into inconsistent or perhaps even damaging statements."
Another case that Cwalina recounted involved a healthcare provider's chief privacy officer and CEO making contradictory statements to media outlets, a situation that later became an issue for investigators to probe in painful detail. Tabletop exercises in advance of a data breach not only help iron out these potential disasters before they happen, but they also bring up another important issue: which documents will be presented to regulators, and where they reside.
"That will save you time," Cwalina said. "You know the regulator is going to ask for your [HIPAA] policies and procedures, and your written information security program. Usually, when you ask companies about those documents, they say 'Well, they're all over the place.' If you have it buttoned up, you're ready to go when a regulator comes knocking and you don't have much time to respond."
Getting senior leadership on board
Theoretical tabletop exercises can be boring. Creating a privacy and security infrastructure can be boring. Most hospitals, said Michael Sullivan, Ashcroft Law Firm LLC partner and U.S. Senate candidate from Massachusetts, don't see the value in investing time, capital and resources into patient privacy until a data breach occurs. Only then do they get it.
Henry Ford's Phillips offered a tip for engaging senior leadership in helping build a culture of patient privacy and data breach prevention: In the case of a data breach, affected patients must be notified about it, as well as about the hospital's ongoing efforts to remediate the damage and future data protections such as credit monitoring. She suggested having senior leadership make some of those one-on-one calls.
Phillips chose the chief operating officer at her health system to experience that particular data breach response duty. He got a call list of patients who had been affected twice in three months by data breaches. Some of them, as can be imagined, were very upset. "As I sat in his office and watched him do that, he was just floored," she recounted. "After he hung up the phone with the last one, he said, 'Is this really what you have to do?'"
At that moment, she said, he understood how patient privacy wasn't just an abstract compliance directive at which a hospital throws policies and technology, but a service -- building, maintaining and rebuilding trust among patients, one at a time. "That changed his focus. He got it."