You’ve been hacked: How to recover from the nightmare
As a healthcare CIO, you’ve been putting out various fires today and trying to make progress on several initiatives. That all changed a minute ago; now, you’re in free fall.
Your top security officer has just shared the worst possible news; despite everyone’s best efforts, a hacker found a backdoor to the network and accessed records. The damage report’s coming soon, but it looks like information from thousands of patients was accessed.
It’s a horrific scenario that, unfortunately, is becoming more common with each passing year. Data from the Department of Health and Human Services and its Office of Civil Rights show 56 large hacks of healthcare organizations last year, in which more than 500 healthcare records were accessed. That’s nearly six times more than the number of large hacks reported to HHS/OCR in 2010.
What’s next when you discover a hack at your facility? Healthcare organizations typically have detailed technical plans for closing access to networks, assessing damage and doing post mortems so it doesn’t happen again. But more than the technical repair that needs to go, organizations also need to have a plan for appropriately responding to the reputational hit that can occur from a hack.
It’s more than just a PR department’s “problem.” IT executives will need to be involved to manage the fallout and craft responses that limit the damage to the organization’s reputation.
It’s easy to botch.
When retailer Target suffered a large cyber attack, the company tried getting the word out quickly on the extent of the attack and what it was doing to mitigate the damage and protect customers. But it may have done too much too fast. Estimates of the number of affected customers later went up, and then went up again, contradicting initial statements, recalls Linn Freedman, a healthcare attorney and partner in the Robinson & Cole LLP law firm.
Organizations that suffer breaches face a dilemma of how to be transparent while needing to protect the organization and start restoring its reputation, says Robert Belfort, a partner at the Manatt, Phelps & Philips law firm. But if information is released too early, the organization may be perceived as having initially downplayed the significance of the attack, he warns. “Avoid the tendency to try to calm everyone’s nerves. It’s best to wait until you have more information to tell.”
“It’s clear that the best strategy is being upfront and honest, but waiting until you actually know what happened,” Freedman says.
When it comes to healthcare breaches, the stakes are higher for providers. Health records have more demographic information, including Social Security numbers, and often contain financial as well as extremely sensitive health information. That rich data set provides more opportunities for identity theft, the sale of health information and other fraudulent uses of personal data. Not only does it give hackers more data to use, it also makes it harder for investigators to determine how and when that information is used illegally.
The bar for protecting health data is, and also perceived to be by consumers, higher than retail or credit card information because of the stringent requirements of HIPAA, which are spelled out in the privacy notices patients are required to sign. When healthcare breaches do occur, providers and insurers often are found not to have followed those security measures, so brand reputations often suffer more than is the case with breaches in other industries.
In addition, consumers now expect that protective services such as credit monitoring and/or identity protection services will be offered when breaches occur. While two states—Connecticut and California—now mandate it, healthcare organizations have often been slow to offer those services, which can add to negative perceptions.
What follows is a blueprint for healthcare organizations that want a blueprint for restoring their reputation after a health data hack.
The increase in targeted healthcare cyber attacks should by now have convinced organizations they are likely to be breached, but many providers and payers are still unprepared. Assuming a breach will occur and being prepared in advance is the best way to not only better serve those affected, but also the organization, says Daniel Gottlieb, a partner in the McDermott Will & Emery law firm. “Having an incident response policy in place and doing a tabletop exercise once a year would be ideal,” he advises. “If that’s not practical, less often is better than never.”
After a breach is discovered is not when an organization should start deciding on protection services, looking for legal help and establishing relationships with enforcement agencies—those step should be taken now, Gottlieb says.
Offering protection services for two years is best but may not be financially feasible or necessary depending on the types of information compromised. But those services should be offered for at least a year, experts say. Attorney Belfort advises erring on the side of two years of protection if Social Security Numbers are involved.
An explanation of protective services being offered is commonly part of the notification letter sent out to affected patients. There is an art to writing the letter, Gottlieb says. It is important that the letter be written with an emphatic tone so it doesn’t sound like it was written by lawyers, and be authored by an executive who feels sincerely bad about what happened. It’s also a good idea with a large breach to put together a web video with the organization’s CEO apologizing and addressing how the organization is responding. This is not required, but shows that the top person is engaged. “It can be an effective way of communicating empathy and not being overly lawyer-driven,” Gottlieb adds.
It has become common for healthcare organization to include a sentence in patient notification letters that to date, there has been no evidence that compromised data has been accessed or used.
Technically, that’s true, but the question is whether it is a wise statement to make, Belfort argues. The problem is that these statements sometimes are made before an organization knows who hacked them, or why, and what the hackers plan to do with the information.
“Nobody really knows what’s happening with this information,” Belfort says. “The criminals often are very sophisticated. So don’t convey the impression that the risk is small. I understand the temptation to say that to protect the company and calm nerves, but you can lose trust later on.”
Another major way to bolster trust and credibility is to not make patients wait too long when trying to reach someone at the call center set up to answer patient questions and provide other information, according to Gottlieb.
Staff the center up from the beginning, when awareness and anxiety are at the highest points, and over a period of time staff down as call volumes drop. Experienced call center companies have data on the volume levels that can be expected and can assist in setting staffing levels, particularly in the first few days after a breach is made public. A hold time of 5 minutes or less, especially in the early days, is ideal.
When a breach occurs and an organization’s patients or health plan members learn of it, so will the rest of the world thanks to the wonders of social media. Affected individuals will be posting their impressions--as well as information that may or may not be accurate.
Want to know how your affected patients or health plan members are digesting news of the breach? Hire a crisis management firm to monitor social media, dispel myths or untruths, and get your information out, Freedman counsels. Well-known healthcare organizations should have a crisis management firm on retainer before a breach happens.
If a crisis management firm isn’t affordable, monitor social media in-house. Watch what is being posted by social media users and those also posting on your site to assess the tone, which can help you strategize and mitigate the damage.
Make sure patients commenting on social media can contact a real person to talk about the breach and related information, Freedman says. “These are patients; they want to talk to someone and make sure it doesn’t happen again.”
Aggressive BA oversight
In a strange twist, a lax security provision in HIPAA often reduces the legal responsibility of healthcare organizations for data breaches.
The law originally had what providers and payers considered an unrealistic standard for overseeing how well their business associates secure protected health information. That standard later was modified so that covered entities were not responsible for a business associate’s breach unless they were aware of a pattern of questionable practices and subsequently did not compel the business associate to take mitigating actions.
But while not technically responsible for unknown acts of business associates, covered entities can still suffer a serious blow to their reputations. As a result, some organizations are increasingly more aggressive in their oversight of their business associates as part of more comprehensive security strategies.
In the aftermath of a breach, Freedman says, the strongest step an organization can take to repair the damage is take a hard look at security practices, make improvements and publicize them to the extent they can.
And it isn’t just cyber attacks to worry about; consumers understand the new reality of data security and expect an organization to take action across the board.
“A stolen unencrypted laptop is unacceptable today; you’re going to lose a lot of credibility,” she contends. “Patients will say, ‘How in the world can you be using unencrypted laptops?’” Consequently, encrypting laptops, flash drives and emails, and encrypting data at rest, is how an organization can show its commitment to security, she adds.