With the number of data breaches at healthcare organizations increasing, it is necessary for hospitals to implement security measures to protect patient information.
In a recent presentation on data privacy and security at the McGuireWoods Healthcare Litigation Conference in Chicago April 8, Alison Brunelle, specialist master, cyber risk services, privacy and data protection at Deloitte & Touche, L.D. Simmons, partner at McGuireWoods and Skip Westfall, forensic technology leader at Grant Thornton, provided 5 tips for hospitals responding to data breaches and for protecting patient information.
1. Create a data inventory. With the rapid influx of data into hospital systems, through the implementation of EHRs, hospitals have to know which server has what information on it to properly triage a breach, said Ms. Brunelle. Hospitals need to produce a robust and well-documented data inventory, so that when a data breach occurs they are able to isolate and investigate the systems that experienced the breach, added Mr. Westfall.
2. Treat data as an asset. Data is an asset that needs to be protected, said Ms. Brunelle. To properly protect data and reduce the likelihood of experiencing a security breach, healthcare organizations need to recognize what data requires protection. Any unique, identifying information needs to be protected. This includes information such as names and addresses along with patients' protected health information, said Ms. Brunelle.
3. Protect data when it goes outside hospital walls. As third-parties, such as vendors, provide various services to healthcare organizations, it is necessary to protect patient data when it is within and outside of hospital walls, said Mr. Westfall.
To help prevent data breaches caused by third-parties, Ms. Brunelle suggests being "very explicit when it comes to drafting business associate contracts" with vendors. Hospitals need to make sure they have appropriate privacy provisions in contracts with business associates. Ms. Brunelle also recommends holding business associates and vendors accountable by reserving and exercising the right to audit them.
4. Create an incident response team. Have a team of professionals ready to immediately respond when a data breach occurs, said Mr. Westfall. If a data breach occurs, it is necessary to respond quickly to prevent further patient information from being compromised and to determine the source of the breach. Having a team ready respond is crucial.
"Treat every data breach with the highest level of attention, as if it will end up in a criminal prosecution," said Mr. Westfall. Hospitals need to go into a data breach investigation with "full force" and then if they need to throttle back they can, he added.
5. Manage cyber-risks with insurance. According to Mr. Simmons, "the question isn't if but when" a data breach will occur at a healthcare organization because hackers are becoming more and more aggressive. Not only do hospitals need cyber insurance for protection when a data breach occurs, but they also need to make sure the insurance purchased includes first-party cyber coverage and third-party cyber coverage, said Mr. Simmons.
More Articles on Data Breaches:
Midwest Orthopaedics at Rush Announces Data Breach Affecting 1,200 Patients
Data Breach at La Palma Intercommunity Hospital
GAO: Federal Agencies Need to Enhance Responses to Data Breaches