The cliché adage is that “no business plans to fail”, but often a business will fail to plan. Regardless of industry sector, nowhere is this more accurate than in the realm of cybersecurity. Many businesses with mission critical applications that are controlled and operated over extensive electronic networks have few, if any, contingency plans to respond to a data breach that can shut those networks down. Loss of network operations in a healthcare environment will not only impede operations, but can also harm a patient’s health and well-being.
In view of this, hospitals and medical centers are formulating and implementing healthcare cybersecurity data breach communications plans that, at a minimum, will create a roadmap for responding to hacking attacks on their networks. Those plans generally feature a few common elements.
A Point Person Who Manages a Coordinated Team Response to a Data Breach
This person will have the knowledge and authority to make decisions and to direct the efforts of a crisis management team in real time. He or she will also oversee all communications regarding the data breach, both within the organization and to third parties whose data might have been affected by the breach.
Regular Updates on Legal and Regulatory Matters
The healthcare industry is heavily regulated at both the state and federal level. Regulations impose stringent confidentiality and privacy obligations over medical service providers which, if violated, can expose those providers to substantial fines and penalties. Providing prompt notice of the data breach to the Department of Health and Human Services is foremost among those regulations. No data breach plan for the healthcare industry would be complete apart from consideration of these obligations and the risks they entail. Healthcare data breach communications plans should be audited frequently to confirm that they satisfy new or amended regulations.
Allocation of Sufficient Resources for an Effective Response
Healthcare organizations that are not prepared for a data breach can find themselves scrambling for the resources and finances needed for an effective response. This can delay the response and exacerbate the severity of the data breach. Ideally, a healthcare organization will be covered by a cybersecurity insurance policy that will reimburse the organization for its direct losses, third-party liabilities, and regulatory fines that it faces when it suffers a data breach.
Educate Employees and Plan for Continuous Improvement
Employees at all levels of a healthcare organization can help to prevent data breaches and can contribute to an effective response to them. Employees need to understand the risks of common practices with electronic, such as using simple passwords or not changing passwords frequently, responding to phishing email, and posting information on social media sites. Employees should also be cautioned to follow data breach response protocol when communicating information about a breach to third parties. Most employees will not willingly make a data breach situation worse, but without proper training, employees can inadvertently complicate a healthcare organization’s response efforts.
Evaluate and Amend the Plan Following Every Data Breach
No healthcare cybersecurity data breach communication plan is a static procedure; and every plan can stand some improvement and amendment. The weaknesses of a plan will typically not be appreciated until after a significant data breach. A data breach response team should conduct a post-mortem after every data breach to determine what parts of the plan worked, and what parts should be changed.
Hospitals and healthcare centers have long prepared for disasters such as utility outages with backup generators and redundant supply systems. Planning for a data breach is no different. In the current environment in which virtually every healthcare facility is at an increased risk of a data breach, a data breach communication plan is a critical part of every medical center’s infrastructure.