Does Your Practice Have a Data Breach Response Plan?

January 20, 2016

If your practice suffers a security breach, staff must know their part in implementing an incident response.

Indiana-based Cancer Care Group, P.C. (CCG) did the right thing when it came to encrypting sensitive patient data on its mobile devices. However, the group practice failed to encrypt or otherwise protect backup tapes that were left unattended in a laptop bag and stolen, according to JD Supra Business Advisor. Unfortunately, the tapes contained the protected health information (PHI) of approximately 55,000 individuals. Compounding the security lapse, CCG did not conduct an incident assessment following the breach, nor did it implement procedures to address the incident. HHS' Office for Civil Rights (OCR) fined the group $750,000 and required it to develop a three-year corrective action plan. 

FIRST STEPS

If medical practices take away just one lesson from this cautionary tale, it should be that the OCR is serious about enforcing the HIPAA Security Rule. Stephen McCallister, a California-based healthcare IT consultant, says that in order for practices to protect themselves against a data breach, the first step must be to conduct a security risk assessment, which is also required by HIPAA as part of meaningful use. "Small to medium practices, they need to … conduct that risk assessment and both address any shortcomings that are identified in it, and continuously update that on at least an annual basis," McCallister says.

A practice should also have a formalized incident response plan as part of a disaster recovery/business continuity strategy, to address any type of potential security breach within the practice, he adds. 

Mary Igo, chief executive officer for Digestive Health Specialists, a 35-provider specialty practice based in Tacoma, Wash., has been working in physician practices for more than 20 years and is well-acquainted with data security. Her practice spans seven offices and five endoscopy centers; all are connected on a network that includes two redundant servers. Digestive Health is fortunate to have a robust health IT team onsite, but Igo says data security starts with staff awareness. "[When an incident is reported] it can either be a patient calling and saying, 'I got someone else's paperwork,' … or it comes from an employee who knows that it is an issue," she says.

BASIC ELEMENTS OF A RESPONSE PLAN

The specifics of an incident response plan will vary according to practice size and resources, says McCallister. At its simplest, a plan should establish pre-breach preparation "which includes not only planning for how you are going to respond to [the breach], but … if you'll need assistance with elements of the response," he advises.

The document should spell out who will help the practice respond to a data breach - internal staff, external consultants, IT vendors, legal counsel, etc. - and each person's role and contact information.

Even though Digestive Health has a dedicated communications staff member, Igo says she would prefer to spearhead an initial breach response herself so that she could control what is communicated to patients and the community. In fact, she notes, for small practices, the administrator may be responsible for implementing the majority of the response plan. In that case, it is important to know what outside resources are available to the practice, she says.

"[Our practice administrator networking group] was looking at six different practices, they varied in size from eight to 25 [staff members], and three of those six practices use outside vendors to support their IT environment," Igo says. Relying on an IT vendor for security assessments, software updates, and even technical support in the event of a security breach may be the best way to go for small practices, she notes. Not only do they have the technical knowledge about a practice's network, but they have an objectivity that an internal staff member may not.

That is a philosophy that Karena Wu, owner of Manhattan-based Active Care Physical Therapy, has adopted. The three-provider physical therapy practice uses a cloud-based EHR designed for physical therapists. All sensitive patient data resides on a cloud-based server, she says, which is HIPAA compliant. "I think if someone is using a reputable EHR system, all of that compliance stuff is going to be taken care of for them. Because at the end of the day, we are all paying for a service," says Wu.

KEY STEPS TO TAKE AFTER A DATA BREACH

Once an incident response plan is activated, it should include the following steps at a minimum, according to IT security experts:

1. Discovery

Practices should attempt to identify what actually happened during the data breach, what systems/information sources were involved, and the scope, says McCallister.

Other steps in discovery to take:

• Investigate and document the cause of the breach

• Conduct an internal investigation and document the practice's discovery efforts

• Collect and preserve evidence (such as e-mails, voicemails, and computer logs)

2. Containment

Once practices understand the root cause of the breach, they should enter "a period of containment and mitigation, where you are locking things down [and] ensuring … that the systems are clean, if you've been infected by phishing malware," says McCallister.

Other steps in containment to take:

• Contact the practice's malpractice carrier

• Recover documents if possible (such as paper test results or charts)

• Contact law enforcement if there is criminal activity

3. Recovery and notification

HIPAA requires prompt notification of affected individuals by letter or e-mail, and HHS; one way to do this is through the online OCR Breach Portal (bit.ly/breach-portal). Initially, the practice should disclose limited information and stress the investigation is ongoing.

Other steps in recovery and notification to take:

• Work with the practice's privacy officer and/or legal counsel to develop communication strategies

• If more than 500 individuals are involved in a data breach, OCR and the media must be notified within 60 days of the breach.

• If less than 500 individuals are involved, a practice must notify OCR within 60 days of the end of the calendar year.

4. Identity protection (optional)

Preserving your practice's reputation and good standing in the community is an important consideration. If word gets out that your practice was lax with patients' personal information that could cost you specialty referrals and new patients. Igo says when a list containing personal information for roughly 50 patients was mistakenly given to a patient at her practice, she offered free identity/credit theft protection to affected individuals for one year.

THE COST OF DATA BREACHES

It's a given that a data breach could be potentially devastating for affected patients, potentially exposing them to identity theft and financial loss. But, in what ways could your practice be harmed? Mary Igo, chief executive officer for Washington-based Digestive Health Specialists, says preserving a practice's reputation should be foremost in the minds of staff, after first ensuring that any damage to patients is minimized. Bad news travels fast. If a practice doesn't move to limit gossip about a poor patient experience, it could suffer the loss of new patients, referrals from neighboring practices and the respect of colleagues in the community.

Another hazard for a practice is financial loss. Failing to conduct a security risk assessment and developing a disaster recovery plan could mean a HIPAA audit, fines, and repayment of meaningful use incentive money. And don't forget the cost of credit monitoring services for patients affected by a data breach. Aaron Ross, owner of IT security company IT Is Prepared, works with small businesses and says even if the cost for credit monitoring is only $10 per person, a practice with 3,000 patients will be looking at $30,000 a year.

Erica Sprey is associate editor for Physicians Practice. She can be reached at erica.sprey@ubm.com.

This article was originally published in the January 2016 issue of Physicians Practice.