The risk of a data breach to hospitals and health systems is on the rise. According to data from ID Experts, there have been 498 breaches of 500 or more records and 55,000 breaches of less than 500 records since September 2009. That means more than 21 million healthcare records have been breached in the last three years. Ninety-six percent of hospitals had a data breach in 2011, and 60 percent of hospitals experienced multiple data breaches, said Mahmood Sher-Jan, vice president of product management for ID Experts. The potential organizational impact of a data breach incident for a hospital can be enormous. For this reason, the need for strong, effective data breach response plans is on the rise as well.
In a webinar hosted by ID Experts, Cris Ewell, PhD, chief information security officer for Seattle Children's Hospital, Research & Foundation, shared his organization's experience and model for managing information security incidents.
1. Organization. Determining who is involved in a hospital's data breach response can be a challenge. Seattle Children's has struggled with who should be accountable for incidents.
"This is bigger than information security and privacy. You'll hear me talking about making sure you involve everybody in the organization, from the board level to hospital trustees down to the individuals at the help desk," said Dr. Ewell.
Organizational challenges also involve cultural issues. According to Dr. Ewell, it is important for hospitals to break down the silos of the hospital to implement multidisciplinary incident response and management teams.
2. Expectations. Another challenge involves expectations hospital executives may have for preventing data breaches. "Sometimes different levels of executives will have unrealistic expectations that their hospital can prevent breaches. [Seattle Children's] operates under the assumption of a breach. You have to expect that [a data breach] is not a matter of if but when," said Dr. Ewell.
3. Available resources. According to Dr. Ewell, many times hospitals "take on too much" in terms of their internal data breach response. The goal is to reach a point of incident response where the hospital has the preplanning and preparation done ahead of time, rather than being reactive to an incident. For instance, it is important for hospitals to plan data breach responses that align with their available resources.
"What can you handle as an organization? If you have a breach, are you able to handle setting up the call center and resource center in 24 hours? Do you have the ability to run forensics?" asked Dr. Ewell. "Hospitals may have the resources in house, but do they have the ability to handle the response for a large incident? Those are all the type of things that need to be addressed," he added. If a hospital needs outside help, it should look for it; otherwise the response following an incident could be too lengthy.
4. Determining breach risk. Sometimes the hardest part of breach response preparation is determining the potential risk to patient information. However, being able to detail potential risk and document any preparation is critical for strong data breach response management. "With all data breaches I want to be able to tell the story. Why did it happen? Why did the person want the information? [These questions] help me determine what the risk picture is, which helps us prevent breaches" said Dr. Ewell.
1. Governance. Seattle Children's governance structure for its data breach response management is clear and well laid-out. Strong governance will transform the entire organization into a risk-based organization that looks at security and privacy issues holistically rather than departmentally, according to Dr. Ewell. The hospital's strong governance is evidenced in its detailed plan, which includes six steps: preparation and planning, discovery and report, analyze and assess, response, recovery and remediate and post-incident. According to Dr. Ewell, the first step — preparation and planning — is his responsibility.
"I have to make sure all the planning and processes are in place. I work closely with privacy and compliance officers to make sure their programs feed into my program," said Dr. Ewell. "I also report to a board level committee as well as to general counsel. Reporting to these high level departments places the risk management program at a high level in the institution," said Dr. Ewell.
2. Organizational support. Closely tied with its governance, Seattle Children's has strong organizational support for the office of information security. Dr. Ewell attends a monthly oversight committee where all compliance and information security issues are discussed. He also meets with the entire information security department regularly.
3. Culture of continuous improvement. The hospital has a culture of continuous improvement because its data breach response process is circular. While the response ends with recovery and remediation, the entire process ends with post-incident, leading the organization back to assessment and planning for future incidents. In a sense, the process for data breach response is never over.
"We are always thinking of how we can improve the process. We have a continual loop process so we even when we have responded to a potential incident and go into the remediate and recovery stage, we head back to step one to see what we can do better in the future," said Dr. Ewell.
4. Clearly defined roles and responsibilities. For Seattle Children's, the type of data dictates which office and which official leads the incident response efforts, although all the offices dealing with information security, privacy and compliance are involved. Here are the hospital's designations by office:
• Privacy office — paper records of personal health information
• Chief information security office — electronic PHI or personal identity information
• Corporate compliance office — corporate compliance issues
• Research compliance office — research compliance issues
• Information services security officer — incidents not included above
Here are the hospital's designations by official:
• Privacy officer — PHI
• Chief information security officer — ePHI, PII or other information related to information security incidents
• Corporate compliance officer — corporate compliance issues
• Research integrity officer — research compliance issues
5. Teamwork. As mentioned above, teamwork is important for a hospital's success in incident response management. Dr. Ewell recommends including several different departments in the management team.
"This is more than security. You cannot do this yourself. You have to build a team. It must involve all levels of the organization to be successful. Otherwise, no one understands, you do not have coordination and it falls apart," said Dr. Ewell.
In addition to the security, privacy and information security departments, he recommends that that the following three departments have representation:
• Operations — "You should consider including business and healthcare operations. The president of the hospital sits on the hospital's incident management team as well as her specific department's team," said Dr. Ewell.
• Legal — Dr. Ewell recommends working with the legal department. He has a strong relationship with the general counsel and associate counsel for the hospital. "We have a close relationship. We can release information very quickly [after a breach] because of that," he said.
• Human resources — "This department is so important. Everything I do flows with HR. We conduct many investigations on incidents with and without PHI. They can help you follow all the rules and processes you must go through, especially when or if you deal with unions," said Dr. Ewell.
5 Ways Hospitals Can Improve Information Security
8 Ways Henry Ford Health System Improved Its Data Breach Response Plan
In a webinar hosted by ID Experts, Cris Ewell, PhD, chief information security officer for Seattle Children's Hospital, Research & Foundation, shared his organization's experience and model for managing information security incidents.
4 Challenges
According to Dr. Ewell, Seattle Children's — like many hospitals — struggles with a few challenges when it comes to preparing strong incident response management plans.1. Organization. Determining who is involved in a hospital's data breach response can be a challenge. Seattle Children's has struggled with who should be accountable for incidents.
"This is bigger than information security and privacy. You'll hear me talking about making sure you involve everybody in the organization, from the board level to hospital trustees down to the individuals at the help desk," said Dr. Ewell.
Organizational challenges also involve cultural issues. According to Dr. Ewell, it is important for hospitals to break down the silos of the hospital to implement multidisciplinary incident response and management teams.
2. Expectations. Another challenge involves expectations hospital executives may have for preventing data breaches. "Sometimes different levels of executives will have unrealistic expectations that their hospital can prevent breaches. [Seattle Children's] operates under the assumption of a breach. You have to expect that [a data breach] is not a matter of if but when," said Dr. Ewell.
3. Available resources. According to Dr. Ewell, many times hospitals "take on too much" in terms of their internal data breach response. The goal is to reach a point of incident response where the hospital has the preplanning and preparation done ahead of time, rather than being reactive to an incident. For instance, it is important for hospitals to plan data breach responses that align with their available resources.
"What can you handle as an organization? If you have a breach, are you able to handle setting up the call center and resource center in 24 hours? Do you have the ability to run forensics?" asked Dr. Ewell. "Hospitals may have the resources in house, but do they have the ability to handle the response for a large incident? Those are all the type of things that need to be addressed," he added. If a hospital needs outside help, it should look for it; otherwise the response following an incident could be too lengthy.
4. Determining breach risk. Sometimes the hardest part of breach response preparation is determining the potential risk to patient information. However, being able to detail potential risk and document any preparation is critical for strong data breach response management. "With all data breaches I want to be able to tell the story. Why did it happen? Why did the person want the information? [These questions] help me determine what the risk picture is, which helps us prevent breaches" said Dr. Ewell.
5 elements of Seattle Children's data breach response culture
Part of Seattle Children's success in data breach response management can be attributed to its culture of governance and organizational support. However, the hospital also has a clearly defined process for response with specific designations for responsibility. Here Dr. Ewell elaborates on the elements that have led to the hospital's strong information security and breach response.1. Governance. Seattle Children's governance structure for its data breach response management is clear and well laid-out. Strong governance will transform the entire organization into a risk-based organization that looks at security and privacy issues holistically rather than departmentally, according to Dr. Ewell. The hospital's strong governance is evidenced in its detailed plan, which includes six steps: preparation and planning, discovery and report, analyze and assess, response, recovery and remediate and post-incident. According to Dr. Ewell, the first step — preparation and planning — is his responsibility.
"I have to make sure all the planning and processes are in place. I work closely with privacy and compliance officers to make sure their programs feed into my program," said Dr. Ewell. "I also report to a board level committee as well as to general counsel. Reporting to these high level departments places the risk management program at a high level in the institution," said Dr. Ewell.
2. Organizational support. Closely tied with its governance, Seattle Children's has strong organizational support for the office of information security. Dr. Ewell attends a monthly oversight committee where all compliance and information security issues are discussed. He also meets with the entire information security department regularly.
3. Culture of continuous improvement. The hospital has a culture of continuous improvement because its data breach response process is circular. While the response ends with recovery and remediation, the entire process ends with post-incident, leading the organization back to assessment and planning for future incidents. In a sense, the process for data breach response is never over.
"We are always thinking of how we can improve the process. We have a continual loop process so we even when we have responded to a potential incident and go into the remediate and recovery stage, we head back to step one to see what we can do better in the future," said Dr. Ewell.
4. Clearly defined roles and responsibilities. For Seattle Children's, the type of data dictates which office and which official leads the incident response efforts, although all the offices dealing with information security, privacy and compliance are involved. Here are the hospital's designations by office:
• Privacy office — paper records of personal health information
• Chief information security office — electronic PHI or personal identity information
• Corporate compliance office — corporate compliance issues
• Research compliance office — research compliance issues
• Information services security officer — incidents not included above
Here are the hospital's designations by official:
• Privacy officer — PHI
• Chief information security officer — ePHI, PII or other information related to information security incidents
• Corporate compliance officer — corporate compliance issues
• Research integrity officer — research compliance issues
5. Teamwork. As mentioned above, teamwork is important for a hospital's success in incident response management. Dr. Ewell recommends including several different departments in the management team.
"This is more than security. You cannot do this yourself. You have to build a team. It must involve all levels of the organization to be successful. Otherwise, no one understands, you do not have coordination and it falls apart," said Dr. Ewell.
In addition to the security, privacy and information security departments, he recommends that that the following three departments have representation:
• Operations — "You should consider including business and healthcare operations. The president of the hospital sits on the hospital's incident management team as well as her specific department's team," said Dr. Ewell.
• Legal — Dr. Ewell recommends working with the legal department. He has a strong relationship with the general counsel and associate counsel for the hospital. "We have a close relationship. We can release information very quickly [after a breach] because of that," he said.
• Human resources — "This department is so important. Everything I do flows with HR. We conduct many investigations on incidents with and without PHI. They can help you follow all the rules and processes you must go through, especially when or if you deal with unions," said Dr. Ewell.
More Articles on Data Breach Response Management:
7 Steps for Hospitals to Run Effective HIPAA Risk Assessments5 Ways Hospitals Can Improve Information Security
8 Ways Henry Ford Health System Improved Its Data Breach Response Plan