Posted by: RedaChouffani
breach, data breach, data security, HHS, HIPAA, Privacy Rule
By now we have all heard and seen the headlines surrounding the recent trouble Sony is facing due to their IT security breach. Not only has it been reported that their gaming network has been compromised and consumer data stolen, but some of their internal servers have been reported as breached as well. This illustrates the growing capabilities of organized hackers and supports the fact that, no matter how big the firm, there is always the potential for real vulnerabilities in their systems. This most recent event was a PR nightmare for Sony, and with the reports of what actually happened not being released until many days later, it begs the question: How should an organization react?
In the health care setting, patient information is extremely sensitive, with records containing social security numbers and detailed medical history. As such, an organization must have an action plan and place and always be ready to defend its infrastructure as well as respond appropriately — and timely — to any breaches of data.
When a breach occurs in health care, meaning that there was an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information, such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual, then the following steps must be taken:
Local authorities notification and report filing:
- Notify the local police and file a police with report with the details
- Internal organizations notification:
Notify the IT director, CIO, security officer, legal team, etc.
- Begin taken steps based on any existing procedures to isolate or take offline the affected systems in order to stop further unauthorized access
Contact security groups:
- Enlist assistance from security experts to ensure that all unauthorized access is blocked
- Perform system analysis to ensure no other systems have been compromised
Notify any authorities and entities listed under the breach notification from DHHS:
- In August of 2009, HHS issued final breach notification regulations which required HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. HHS required the following steps after a breach of unsecured protected Health information (as listed in the HHS web site)
- Individual Notice
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.
- Media Notice
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
- Notice to the Secretary
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.
- Notification by a Business Associate
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.
As the industry navigates the slippery slope of electronic health record security, it is important to learn from the breaches and PR nightmares of others; make sure you learn the current breach framework and reevaluate your systems, and realize that it is critical to have recurring security reviews of your infrastructure. And while we can never be too protected, it seems we are yet to be protected enough, and thus one must continuously strive to follow best practices and recommendations from security officers and experts in this domain as we continue to exist, securely, in an increasingly digital world.