The issue of data security and privacy has quickly become a huge societal concern that is having to be addressed by almost every stakeholder in every industry. It now seems like a common occurrence to read headlines of financial firms, retailers and other companies dealing with data breaches where infrastructural weaknesses are being exposed and sensitive customer information is being compromised.
Globally, an average of 2.2 million records were stolen each day in the first quarter of 2014; the 200 million-plus total is a 233 percent explosion from just a year ago. Furthermore, 43 percent of surveyed U.S. businesses – more than two in five – have experienced a data breach in the past year. Hackers have proven that no company, organization or government is immune and the issue has justifiably moved from the backroom to the board room.
There is perhaps no type of personal information more sensitive than health information and for this reason hospitals have been put on notice. As hospitals strive to implement and meaningfully use electronic health records (EHRs), patient information is becoming increasingly digitized and therefore more and more at risk for privacy breaches. Drug prescriptions, potentially stigmatized health conditions, and other delicate and private information is being routed from provider to provider, many of whom are on different EHR systems. In addition to a host of infrastructural precautions that hospitals can take to protect this type of information, there are also some prepared communication strategies that can be enlisted by hospitals to manage the business impact of a breach. These are just as important because there is more at risk for hospitals than just data – a recent survey of 2,000 respondents found that more than half of all respondents, 51 percent, would take their business elsewhere after a breach.
Reputation is one of a hospital's most valuable assets and managing it when a data breach occurs is not about spin and is not a job to be left to the legal department. First and foremost, a hospital's response needs to begin at the top with its C-suite. Hospital executives need to make sure that the hospital's actions in the wake of a breach are well-planned and coordinated. Whether it's in interviews with the media, outreach to patients, communications to hospital employees, or interacting with regulatory and policy officials, everyone needs to be working from the same playbook and able to project a sense of control. It is also imperative that a hospital's playbook be lean yet integrated, allow for a fluid situation and be consistent in its language. The following are key considerations for a hospital in constructing a playbook to deal with a potential data breach:
1.) The playbook needs to engage the hospital's outside counsel, forensics firm, communications counsel and credit monitoring service if a breach were to occur. This allows the hospital to hit the ground running and quickly enlist outside experts to mitigate the fallout from a breach.
2.) A hospital's playbook must clearly define the roles and responsibilities of the hospital employees who need to deal with a data breach. Usually the core team involves leads from the hospital's security, IT and communication teams as well as members of the C-suite, as appropriate. Coordinating all of this activity should be a single person who is designated as the team leader and actually has the necessary authority to make decisions along the way. Defining this person and the core team early on will prevent a last-minute scramble to figure out who is doing what when a breach occurs.
3.) The roles and responsibilities of external experts need to be predetermined and clearly outlined in the playbook. The external team should be kept lean to avoid duplicating efforts, prevent confusion, and generally allow for a more efficient response.
4.) The playbook should guide how hospital executives interact with state lawmakers and regulators in the wake of a breach. These relationships are extremely important in dealing with any data privacy crisis, and even more so when dealing with the theft of personal patient information. Therefore, it is highly recommended that hospital executives foster these relationships so that they are not meeting these people for the first time after a breach occurs.
5.) Consistent language should be used throughout the playbook so that all involved can understand. This is especially important for hospitals as EHR and hospital payment systems typically use nomenclature that is specific to the healthcare industry. Anyone serving on the hospital's core team, as well as outside experts, should be thoroughly briefed on the relevant industry terminology as well as the more general IT and payment system language. Resources such as the SANS Glossary of Security Terms or the Payment Card Industry (PCI) Glossary of Terms, Abbreviations and Acronyms can help bring everyone up to speed on general security terms but should also be supplemented by healthcare-specific resources.
6.) Any playbook should be tested with a simulation of a crisis scenario in order to prepare for a situation where patient data is compromised. Such a simulation should rely upon all functions responsible for legal, regulatory, operations and reputation. This can expose any gaps in protocol so the hospital can proactively address before it's too late.
While having a tested playbook will go a long way in dealing with a hospital data breach, it should also be remembered that no two data security incidents are the same. Twists and turns are to be expected and hospitals must be nimble yet patient. It takes time for the dust to settle after a breach and communicating too quickly can result in unwanted liability for a hospital. "In major breaches, it can take a month or two of round-the-clock work to answer: How did the attackers get in and when? What did they view? What did they steal? Are they still in there?" explains Eric Friedberg, executive chairman of Stroz Friedberg, a digital forensics firm. In fact, the median length of time from discovery of a breach to containment is 87 days. With so many basic questions potentially remaining unanswered, hospitals must be careful to clearly delineate what they know and what is still being investigated when communicating with the public.
As hackers become increasingly sophisticated, hospitals must work to become increasingly prepared. Hospitals should constantly be reviewing and updating their playbooks to keep pace with those who look to steal sensitive patient information. Disaster can strike at any time for a hospital and having the appropriate response plans in place can help alleviate some of the pain that inevitably comes with a data breach.
David Chamberlin is the executive vice president and general manager of Edelman's Dallas office, and the leader of the firm's global Data Security and Privacy team.You can find him on Twitter at @djchamberlin.
Cathy Barry-Ipema is senior vice president of Health and co-lead of Edelman's Hospital and Health Provider Taskforce.