Henry Ford Health System in Detroit is a large and well-established health system. It has four acute-care facilities with approximately 2,000 beds; a 1,200 member medical group and a 500 member physician network; and a health plan serving approximately 640,000 members. With a workforce of approximately 31,000, the Malcolm Baldridge National Quality Award-winning health system earned $4.22 billion in revenue and a net income of $21.5 million in 2011.
Unfortunately, like a growing number of healthcare organizations, Henry Ford has experienced a few data breaches. For example, a laptop was stolen from a physician's office, which exposed patient information for approximately 4,000 patients. The data had been stored in a compiled spreadsheet on an unencrypted laptop, which was left unattended on the first floor of Henry Ford Hospital in Detroit. "We thought we had appropriately communicated that clinicians and physicians should not store compiled spreadsheets on laptops or other devices," said Meredith Phillips, chief privacy officer for Henry Ford Health System.
Obviously, no healthcare organization wants to suffer a data breach, which can put their patients and the organization itself at risk financially and non-financially. It would be logical for one to think that a health system of Henry Ford's size, serving the amount of individuals it does and with the awards it has received, would have a foolproof data breach plan to prevent data breaches that result from stolen laptops, but this is not always the case. In a webinar hosted by the American Hospital Association and co-sponsored by ID Experts, Ms. Phillips discussed why the plan HFHS had was not effective and what they did to improve the health system's emphasis on data security and privacy as well as their data breach response plan.
Henry Ford Health System: Then
According to Ms. Phillips, when the laptop was stolen from Henry Ford Hospital, the health system's breach response was entirely internal — everything from call center support to mailing patient notifications was completed by staff. However, it took HFHS 56 days to complete its entire data breach response, from assessment to notification. "The 56-day response time was outside of our service standards and proved to us that our response plan was flawed," said Ms. Phillips. "We realized that assuming responsibility for the entire breach response lifecycle was extending our response time," she said.
In order to begin revamping the health system's response, Ms. Phillips and her team identified a few issues that the health system could improve upon. For instance, they identified a lack of direction and focus within the organization for securing and protecting patient personal information. Ms. Phillips identified a few key issues specifically:
• Privacy was a subset of corporate compliance.
• Security was a subset of information technology.
• There was a decentralized approach throughout the entire system.
• There was a lack of branding and reinforcement for the incident response plan.
• There was a misunderstanding with the workforce concerning the urgency during the assessment of and response to data breaches.
• The system was using too few resources to carry out its privacy and security mission.
"Due to lean resources, competing priorities and fragmented oversight, our privacy and security compliance was misaligned with the HFHS mission and vision," said Ms. Phillips. "Now, HFHS is entering into a new territory to ensure synergy between its privacy and security — a culture of confidentiality," she said.
Fixing HFHS' data breach response
After Ms. Phillips assessed HFHS' data breach response program, she implemented what she termed "breach response 2.0." When HFHS had a second breach involving an employee's USB drive, the health system responded within 18 days. "We thought this was remarkable. We drastically reduced the time it took to inform patients, regulators and media," said Ms. Phillips.
Ms. Philips and her team improved and streamlined HFHS' data breach response with the following eight actions.
1. Discuss goals. Ms. Phillips recommends actively identifying and talking about the goals for the healthcare organization's data breach response with the executive leadership team. "Just like there is a goal for any other initiative, there needs to be one for data breach responses. Is the goal for your organization to mitigate regulatory risk or class action litigation or to manage reputational risk and costs? If you can get an agreement on that up front, you can make better decisions on how to respond," said Ms. Phillips.
2. Convene a workgroup. One of the first things HFHS did was to convene a workgroup to guide their data breach response improvements. The group consisted of a group of individuals from across the system with a compliance or privacy background. The HFHS workgroup reviewed HITECH regulations and documented recommended processes. "The workgroup outlined what HFHS' approach should be," said Ms. Phillips.
3. Research risk of harm. The workgroup researched other organizations to determine how to address HFHS' risk of harm. "We looked at how we could determine if there was a risk of harm — the potential for exposure — to the patients affected by the data breach. You also need that policy for the organization; what could its exposure be? Then we came up with a process to document the risk assessment," said Ms. Phillips.
4. Secure a breach response partner. Ms. Phillips recommends an external partner to expedite the breach response process. "We needed a partner rather than an outsourced solution," said Ms. Phillips. "The reporting [for a breach] requirements are very tight, whether to the Office of Civil Rights or various state governments. For example, California only gives healthcare providers five days, so you need your team operating effectively. A strong partner helps with this," she said.
5. Create an enterprise-wide data breach program. HFHS created a program called Code B Alert to streamline the communication and immediate response plans for its data breach incidents. Ms. Phillips and the chief information security officer led the program, which included leadership representation from legal, public relations, human resources, risk management and all business units. Under the plan, a rapid response team and branded communication plan were created.
6. Charter a rapid response team. Ms. Phillips and her team decided to create an immediate response team within the Code B Alert Program, which they call the Code B Alert Rapid Response Team to act as a first line of defense when a breach is reported internally or identified. "When someone calls thinking they lost something or that something was stolen, this team needs to make sure the breach actually occurred. Sometimes an incident is reported, but it is not a breach," said Ms. Phillips. Individuals from each business unit as well as from the legal, information privacy and information security offices were chosen to form the team. Ms. Phillips urged the importance of keeping the team centralized. "We found that when we rolled out the Code B program, allowing each business unit to utilize a response team on their own was counterproductive. It's necessary to streamline the plan, keep it consistent and maintain the governance under one corporate entity," said Ms. Phillips.
7. Create a breach response communication plan. Ms. Phillips created a communication plan for internal and external actions to communicate the urgency of a data breach and the importance of complying with organizational security and privacy policies to employees as well as to notify patients, media and OCR. The communication plan was consistently utilized throughout the system and managed corporately instead of at the business-unit level. The internal communication was branded with the name Code B — the same title used for the response program and team — so employees would instantly recognize a data breach had occurred. This aspect was aimed at preventing future issues with employee understanding.
8. Test the plan against past data breaches. Ms. Phillips recommends testing any plan or program that is created against past data breaches to make sure the components in the plan address relevant issues. "It is a great way to make sure everything is covered. In order to vet the approach, we applied the plan to previous breaches. We took a case load from two years prior and went through the exercise of applying the response plan to the previous incidences. We knew that we could base the effectiveness of our plan on our history," said Ms. Phillips.
While every healthcare organization is different and should tailor a data breach response plan to its needs, Henry Ford Health System's approach drastically improved its data breach preparedness and response time with Ms. Phillips approach. A hospital or health system looking for guidance could follow these tips to prepare a strong and effective response.
3 Considerations for Evaluating Data Breach Insurance Policies
Crisis Communication During a Data Breach: 5 Best Practices
Unfortunately, like a growing number of healthcare organizations, Henry Ford has experienced a few data breaches. For example, a laptop was stolen from a physician's office, which exposed patient information for approximately 4,000 patients. The data had been stored in a compiled spreadsheet on an unencrypted laptop, which was left unattended on the first floor of Henry Ford Hospital in Detroit. "We thought we had appropriately communicated that clinicians and physicians should not store compiled spreadsheets on laptops or other devices," said Meredith Phillips, chief privacy officer for Henry Ford Health System.
Obviously, no healthcare organization wants to suffer a data breach, which can put their patients and the organization itself at risk financially and non-financially. It would be logical for one to think that a health system of Henry Ford's size, serving the amount of individuals it does and with the awards it has received, would have a foolproof data breach plan to prevent data breaches that result from stolen laptops, but this is not always the case. In a webinar hosted by the American Hospital Association and co-sponsored by ID Experts, Ms. Phillips discussed why the plan HFHS had was not effective and what they did to improve the health system's emphasis on data security and privacy as well as their data breach response plan.
Henry Ford Health System: Then
According to Ms. Phillips, when the laptop was stolen from Henry Ford Hospital, the health system's breach response was entirely internal — everything from call center support to mailing patient notifications was completed by staff. However, it took HFHS 56 days to complete its entire data breach response, from assessment to notification. "The 56-day response time was outside of our service standards and proved to us that our response plan was flawed," said Ms. Phillips. "We realized that assuming responsibility for the entire breach response lifecycle was extending our response time," she said.
In order to begin revamping the health system's response, Ms. Phillips and her team identified a few issues that the health system could improve upon. For instance, they identified a lack of direction and focus within the organization for securing and protecting patient personal information. Ms. Phillips identified a few key issues specifically:
• Privacy was a subset of corporate compliance.
• Security was a subset of information technology.
• There was a decentralized approach throughout the entire system.
• There was a lack of branding and reinforcement for the incident response plan.
• There was a misunderstanding with the workforce concerning the urgency during the assessment of and response to data breaches.
• The system was using too few resources to carry out its privacy and security mission.
"Due to lean resources, competing priorities and fragmented oversight, our privacy and security compliance was misaligned with the HFHS mission and vision," said Ms. Phillips. "Now, HFHS is entering into a new territory to ensure synergy between its privacy and security — a culture of confidentiality," she said.
Fixing HFHS' data breach response
After Ms. Phillips assessed HFHS' data breach response program, she implemented what she termed "breach response 2.0." When HFHS had a second breach involving an employee's USB drive, the health system responded within 18 days. "We thought this was remarkable. We drastically reduced the time it took to inform patients, regulators and media," said Ms. Phillips.
Ms. Philips and her team improved and streamlined HFHS' data breach response with the following eight actions.
1. Discuss goals. Ms. Phillips recommends actively identifying and talking about the goals for the healthcare organization's data breach response with the executive leadership team. "Just like there is a goal for any other initiative, there needs to be one for data breach responses. Is the goal for your organization to mitigate regulatory risk or class action litigation or to manage reputational risk and costs? If you can get an agreement on that up front, you can make better decisions on how to respond," said Ms. Phillips.
2. Convene a workgroup. One of the first things HFHS did was to convene a workgroup to guide their data breach response improvements. The group consisted of a group of individuals from across the system with a compliance or privacy background. The HFHS workgroup reviewed HITECH regulations and documented recommended processes. "The workgroup outlined what HFHS' approach should be," said Ms. Phillips.
3. Research risk of harm. The workgroup researched other organizations to determine how to address HFHS' risk of harm. "We looked at how we could determine if there was a risk of harm — the potential for exposure — to the patients affected by the data breach. You also need that policy for the organization; what could its exposure be? Then we came up with a process to document the risk assessment," said Ms. Phillips.
4. Secure a breach response partner. Ms. Phillips recommends an external partner to expedite the breach response process. "We needed a partner rather than an outsourced solution," said Ms. Phillips. "The reporting [for a breach] requirements are very tight, whether to the Office of Civil Rights or various state governments. For example, California only gives healthcare providers five days, so you need your team operating effectively. A strong partner helps with this," she said.
5. Create an enterprise-wide data breach program. HFHS created a program called Code B Alert to streamline the communication and immediate response plans for its data breach incidents. Ms. Phillips and the chief information security officer led the program, which included leadership representation from legal, public relations, human resources, risk management and all business units. Under the plan, a rapid response team and branded communication plan were created.
6. Charter a rapid response team. Ms. Phillips and her team decided to create an immediate response team within the Code B Alert Program, which they call the Code B Alert Rapid Response Team to act as a first line of defense when a breach is reported internally or identified. "When someone calls thinking they lost something or that something was stolen, this team needs to make sure the breach actually occurred. Sometimes an incident is reported, but it is not a breach," said Ms. Phillips. Individuals from each business unit as well as from the legal, information privacy and information security offices were chosen to form the team. Ms. Phillips urged the importance of keeping the team centralized. "We found that when we rolled out the Code B program, allowing each business unit to utilize a response team on their own was counterproductive. It's necessary to streamline the plan, keep it consistent and maintain the governance under one corporate entity," said Ms. Phillips.
7. Create a breach response communication plan. Ms. Phillips created a communication plan for internal and external actions to communicate the urgency of a data breach and the importance of complying with organizational security and privacy policies to employees as well as to notify patients, media and OCR. The communication plan was consistently utilized throughout the system and managed corporately instead of at the business-unit level. The internal communication was branded with the name Code B — the same title used for the response program and team — so employees would instantly recognize a data breach had occurred. This aspect was aimed at preventing future issues with employee understanding.
8. Test the plan against past data breaches. Ms. Phillips recommends testing any plan or program that is created against past data breaches to make sure the components in the plan address relevant issues. "It is a great way to make sure everything is covered. In order to vet the approach, we applied the plan to previous breaches. We took a case load from two years prior and went through the exercise of applying the response plan to the previous incidences. We knew that we could base the effectiveness of our plan on our history," said Ms. Phillips.
While every healthcare organization is different and should tailor a data breach response plan to its needs, Henry Ford Health System's approach drastically improved its data breach preparedness and response time with Ms. Phillips approach. A hospital or health system looking for guidance could follow these tips to prepare a strong and effective response.
More Articles on Data Breach Response Plans:
10 Guidelines for Selecting Data Breach Insurance3 Considerations for Evaluating Data Breach Insurance Policies
Crisis Communication During a Data Breach: 5 Best Practices