Customer-facing breach notification and response should be a part of a healthcare organization’s incident response plan, but it’s often not top-of-mind when the worst happens for a healthcare organization.

Federal and state laws often dictate specific steps healthcare organizations need to take, particularly when they are victimized by large breaches. There are many steps to be taken, including public notification and release of information to the media in the event of large breaches.

However, that doesn’t replace the need to handle notifications to people whose information may have been compromised, communicate to employees and the public about what happened, and otherwise set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response.

Unfortunately, many organizations treat breach notification as an afterthought or as something that’s done after fulfilling a compliance obligation. By not continuing on to fully communicate information, they’re missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At a recent security conference, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response.

Here are some highlights from the discussion:

What legal obligations exist for breach notification? You’re likely facing a patchwork of laws and regulatory requirements, with varying conditions, with more on the way. Check with legal counsel to see what applies to your business. Today, 47 states and 4 territories require notification for unauthorized acquisition or access to sensitive information. There are also specific industry-related notification obligations, such as with HIPAA, HITECH and GLBA. The proposed EU GDPR includes a tight 72-hour notification requirement, not just for breaches of personal data but also for cyber events. You also may have contractual obligations with business partners that outline notification requirements as well.

Should organizations still notify if they don’t have to? Even if you’re not required to notify by law, you still have a choice, and it’s a complicated decision. To notify or not involves some degree of brand and reputational risk, regardless of the choice you make.

In making a decision, an organization should consider the potential for future harm and liability that could accompany the choice not to notify, as well as the extent to which you will be able to manage the response should the breach event and your decision not to notify come to light. Ultimately, a guiding star is the customer relationship and your promise to them about how you handle and protect their data. Firms will likely err on the side of caution and notify.

How can firms set themselves up for success with breach notification? Don’t notify too early. You’ll be criticized either way, so let the investigators help uncover as much information as they can about what happened to help you better communicate the facts. Consider issuing a hold statement in the meantime—something that states you’re aware of the issue.

Define what constitutes a breach vs a security incident in your business partner and service provider contracts. This is important from a cyber insurance claims analysis perspective to help with breach notification costs.

Cultivate relationships with local law enforcement, your local FBI and secret service gurus, before a breach event occurs. Go above and beyond state attorney general expectations and be proactive with engaging with them during a breach event; you don’t want them to hear about the breach in the news before you tell them.

Consider breach notification an extension of the customer relationship and mesh it with your crisis communication and incident response plans. Make sure your customers feel taken care of and cared about. Be forthright, contrite and consistent in your communications. Coordinate communications and guidance to your employees first, especially those in customer-facing roles.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access