CYBER SECURITY
While most of your work in prepar- ing for a data breach will go toward building the response plan, allocate time to staff training. Staff should understand the different types of breaches, how they can occur and the process to follow to report suspicious and unusual activity. Include this edu- cation in onboarding and revisit these subjects regularly to keep staff attuned to risks.
In addition, ensure staff are com- fortable reporting incidents, including those they might have caused. Acci- dental internal breaches are common. More than 70 percent of business exec- utives believe their organizations expe- rienced such a breach within the past five years, according to a 2020 survey.
When you discover that your ASC has suffered a data breach, time is of the essence. Initiate your response plan and begin an investigation to deter- mine what IT systems are affected, whether protected health information (PHI) is compromised and how many patients are affected, and the cause(s) of the breach. Document every detail and piece of evidence, including when and how you learned about the breach and the actions you subsequently take. This information will be important for com- munication and reporting purposes. Simultaneously, work with your
IT experts to contain the breach. This might require you to disconnect, i.e., isolate, affected systems, change account passwords, restrict internet traffic and take other steps to prevent additional harm. The computer foren- sic specialist on your incident response team should help identify required containment measures. Assuming your ASC experiences a breach of patient PHI, you will need to follow the requirements of the HIPAA Breach Notification Rule. Affected individuals must be notified within 60 days of when you discover the breach. If the breach involves 500 or more indi-
The backbone of a successful data breach response is a formal, written plan. A data breach is considered a type of manmade disaster, so treat development of this plan as seriously as other disaster plans.”
—Nelson Gomes, Medicus IT
viduals, you will need to notify the US Department of Health & Human Ser- vices’ Office for Civil Rights (OCR) within 60 days. If a breach involves more than 500 affected individuals residing in the same state, you are required to notify local media outlets within 60 days as well. For a breach affecting fewer than 500 patients, you are still required to report the breach to OCR but must do so within 60 days of the end of the calendar year in which the breach was discovered. There might also be some state reporting requirements to fol- low. Identify and include these rules in your response plan. Failure to fol- low rules can lead to civil penalties, as can a failure to perform a comprehen- sive investigation.
When informing individuals and the media about a breach, do not delay your outreach efforts and be transpar- ent. You are working to earn back the trust of those patients affected by the breach and reassure future patients that you prioritize their privacy and PHI security. Collaborate with your crisis management/public relations firm to craft messaging that explains what happened and when, who is affected and what your ASC is doing in response. If your ASC has invested in cybersecurity insurance, the policy might include a public relations cam-
paign or you might have the option of adding this worthwhile feature. Have legal counsel sign off on any statements before distribution and publication.
In your communications, provide
ways for affected patients and other concerned individuals, for example, unaffected and future patients, to speak with your ASC about the situ- ation. Options include setting up a dedicated phone line or email account. Staff members tasked with respond- ing to queries should know how to properly address a range of questions, including those about PHI, and how to handle media requests. As you execute your response plan, conduct an audit on your secu- rity posture, i.e., overall cybersecurity strength, to identify the cause(s) of the breach, if not already known. This will help you determine the improve- ments to implement to prevent the same type of breach from recurring. Solutions might involve additional staff education and training, investing in new security technology and bring- ing in a third party to perform a robust risk assessment.
Not long after you finish executing your response plan, bring the incident response team together. Discuss what aspects of your response went well and what did not. Based on the feed- back you receive, identify necessary changes to the response plan to ensure your ASC is better prepared for a future breach. Plan a drill of the revised plan to determine if those changes should deliver their intended results. You cannot anticipate whether your ASC will experience another breach, but you can control how prepared you will be if that day comes.
ASC FOCUS OCTOBER 2020 |
ascfocus.org 29
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52
