Your Health Data Will Be Breached
Data breaches are taking place with an alarming frequency. Equifax’s data breach affected nearly 143 million Americans. But the attacks aren’t limited to personal information, there are many targeted toward protected health information as well.
Just a couple of weeks ago, NHS Lanarkshire, the third largest health system in Scotland and one that employs over 12,000 staff, fell victim to a malware attack. On the heels of a broad cyberattack affecting much of the National Health Service (NH) in May, medical operations were put on hold, and patients were even told to not go to the hospital unless it was absolutely necessary. Though occurring on the other side of the Atlantic, this event stood as a stark reminder that many hospitals, health systems and other companies in the health care space are vulnerable to a cyberattack.
Big, well-known health care providers aren’t necessarily the sole targets. Even at small community hospitals, an administrator could open an email from a hacker group claiming to have stolen patient data and lock down the computer system. If these hospitals refuse to pay the hackers a hefty ransom, their computers could stay down and their patients’ confidential health data could be sold or published to other bad actors with nefarious intentions. Following the seemingly recurrent news of global ransomware attacks, these scenarios are becoming all too real.
While employee negligence is a primary concern in securing patient information, hospitals and health systems now need to prepare and brace for external threats to IT security. Last year, U.S. companies and government agencies suffered a record 1,093 data breaches, a 40 percent increase from 2015, according to the Identity Theft Resource Center. More than one-third of those breaches were health care organizations. Those breaches can cost health care organizations $380 per record, which is 2.5 times more than the global average across other industries.
In addition to the monetary repercussion of an attack, reputations are at stake. Many patients will actively avoid hospitals or organizations where breaches have occurred or where they feel their personal information is not secure.
How does a hospital or health organization prepare for a potential breach of patient data? How can you instill a sense of trust among patients that their personal, private health information is secure?
As the statics show, it’s not a matter of if, but when a breach will happen. When a breach occurs, balancing the demands of patients, media and the public for immediate information while investigating the source and complying with legal and regulatory requirements can seem nearly impossible. Steps can be taken ahead of a breach to prepare and build patient trust.
First, hospitals and health systems should work to develop a data breach response plan and team to protect the patients they serve. The more these groups can prepare for an inevitable breach, the better. The planning team should include members who bring different perspectives, including internal and external communications, legal, privacy, and compliance. For instance, a media lead is responsible for handling media calls and responding to emails; internal and external communications writers must work together to draft everything from press releases to employee emails to social media posts and an attorney needs to review and approve all communications. According to a 2017 Ponemon Institute and IBM study, having an incident response team in place and ready can reduce the impact cost of a data breach by $19 per lost or stolen record.
Second, holding statements should be ready to ease patient concerns. Health care organizations need to have public response material ready ahead of time, including a baseline response to patients and the public. Make sure what you say to the media or make public doesn’t expose you to additional liabilities. For example, don’t overpromise with statements such as “we will do everything possible to secure our patients' data."
Third, companies must comply with patient privacy laws or pay the price. Under privacy data laws, hospitals must report potential medical data breaches affecting more than 500 people within 60 days of the incident. Hospitals will be asked if they had “policies and procedures in place to handle a breach like this” At stake: potentially millions of dollars in fines for organizations whose preparation or response falls short. But even worse, the trust between patients and the health organizations that serve them could be forever severed, and trust is a value at the heart of a provider-patient relationship.
Additionally, organizations must test the response regularly. To work well, the response plan and team need to be tested and retested. Practice will help ensure that when the crisis hits and tensions are high, the team will perform well. Being transparent and communicating with patients regarding the steps that the organization is taking to protect their personal data is equally important, as it will help to build or re-establish patient trust. In the end, protecting patients, finances, operations and reputation from the cyber threats comes down to planning and preparedness.
Finally, local health departments and policymakers must be engaged. The greater the level of community involvement in and awareness of protecting health systems and patient personal information against possible threats, the greater the level of empowerment health organizations will have in taking proactive steps to enforce data security.
While many local health departments have disaster preparedness plans, patient data security is often not included in planning resources. Also, many health information and privacy regulations do not adequately address IT changes that could properly secure patient health records. Bringing local leaders into these conversations can build awareness of the issue and facilitate discussions to help fill the gaps in security.
Even at the federal level, more attention to this issue can not only protect local health providers and organizations represented by members of Congress but even federal agencies who, like the NHS, must constantly act to safeguard their systems from a breach. Policymakers should also look at ways to provide guidance and resources to smaller institutions that often lack the tools to protect themselves and execute the response protocols needed to reassure wary patients and the public at-large.
Kristen Thistle and Cori McKeever Ashford are Executive Vice Presidents in charge of Weber Shandwick’s health care practices in Minneapolis and Chicago, respectively.