How to Move Ahead After a Data Breach
Over the last few months, hundreds of thousands of Canadians have had their personal information stolen or exposed online. This year, in particular, several multinational organizations discovered and reported data breaches involving the personal information of Canadians (e.g. Capital One SIN no. breach, Desjardins breach). While these organizations had significant resources dedicated to protecting themselves against such breaches, they were not immune.
Equally unfathomable, breaches affecting healthcare organizations are reported by media regularly. The latest trending report is the Ryuk ransomware attack.
A healthcare organization can be subjected to internal as well as external threats that can lead to a data breach. Internal threats resulting from accidental or intentional breach events – often the hardest to detect – are the most prevalent in healthcare. External threats originate from cyber in the form of hackers, malware attacks, etc.
Often, these incidents lead to class action lawsuits, unwelcomed media attention, regulatory reviews/orders, and financial losses related to forensic investigations and legal assistance. Breaches can also lead to reputation loss which impacts community, donor and partner relations.
With these events on the rise, it’s imperative that organizations are equipped to handle a data breach. At HIROC, helping our subscribers understand these risks and what can be done to prevent and mitigate losses is at the core of our value – and that goes for cyber and data security.
Tip #1: Develop an incident response plan
Healthcare organizations of all sizes should have cyber security breach and data breach incident response plans or protocols in place. Plans help ensure an immediate and coordinated response with clarity around roles and responsibilities. A good incident response plan would, at a minimum, include:
- A contact list of Incident Response Team members, including internal and external experts and stakeholders
- Steps that can be taken to detect and contain a breach
- A recovery strategy that does not impede on the investigation
- Communication and notification requirements and responsibilities, including media response lead
- Steps to identify legal obligations and to contact respective insurers
The first step after a suspected incident is to responsively quarantine, investigate and confirm that the incident is real. Certain types of experts may be needed for the investigation, so having a prepared list of incident response team members and experts is vital. Once the breach is confirmed, containment efforts can begin so the breach does not spread further.
If your incident management team consists of employees supporting the day-to-day function of the organization, they can easily become exhausted due to long work hours and stress. This can be alleviated by providing pre-identified trusted internal and external advisors, experts, and resources to support staff in the management of the incident.
Healthcare organizations cannot afford to have information systems offline for long. An appropriate recovery strategy with backup restoration steps should also be included in the plan. The team should be able to restore the systems and affected functions with minimum impact on the incident investigation efforts. Data breach incident management is not just the responsibility of the Information Technology department and its employees. Senior management teams, risk managers, legal, privacy professionals, and communications professionals will need to be involved to ensure the incident is managed appropriately. Board members and key stakeholders may need to be informed of the breach, with an appropriate level of detail.
Having a comprehensive communications plan can go a long way in helping healthcare organizations manage breach notifications and communications with as little damage to the internal and external reputation as possible. If possible, the communications plan should include sample verbiage that has been pre-approved by senior management and can be easily used in internal and external announcements, media releases and/or regulatory and patient notifications. Senior management, risk managers, and privacy officers within the organization should be consulted, at minimum, before releasing any information to the media, public or community.
Subscribers should also contact HIROC through the Healthcare Safety and Risk Management department or HIROC’s Claims department for advice on breach management and notifications.
Tip #2: Test your incident response plan
Once your organization has a plan in place, it’s important to test your incident response plan to identify gaps. At a minimum, plans should be tested and updated on an annual basis.
In June 2019, the Information and Privacy Commissioner of Ontario published the 2018 statistics on health information privacy incidents experienced by various health-related organizations and/or health information custodians. 2018 was the first year Ontario healthcare organizations or health information custodians were required to collect and submit health privacy breach statistics to the Information Privacy Commissioner’s Office of Ontario. According to this report, health information custodians experienced 11,278 breaches of Personal Health Information in Ontario. The statistical figures show that the breaches originated from various types of events such as misdirected faxes, lost unencrypted storage devices, employee snooping, and cyber attacks. Even smaller breaches have to be investigated, documented and accounted into the statistical figures by health information custodians across Ontario. Testing a plan to ensure proper management of even a small incident can limit future exposure for organizations.
How HIROC can help
HIROC has a number of resources on cyber security and privacy breach. For further information, check out our Resources library on HIROC.com and search for “Privacy” or “Cyber”. A few of our key resources are:
- Cyber Risk Management: A Guide for Healthcare Providers and Administrators
- Key Measures for Preventing and Mitigating Cyber Attacks and Ransomware
- Breach of Personal Health Information (Case Study)
- Privacy Breach (Risk Reference Sheet)
Questions or comments pertaining to cyber coverage and mitigation strategies can be sent to firstname.lastname@example.org.
Kopiha Nathan is HIROC’s Privacy and Compliance Officer. She can be reached at email@example.com.