You’ve been hacked, and electronic protected health information (ePHI) has been exposed. You have certain compliance requirements, and there are also (intertwined with the needs of compliance) reasonable steps to take to halt the compromise and protect your patients. You may be working with managed service partners who want you to think that everything is fine, but due diligence demands you trust no one and assume the worst (even if you are not yet convinced that ePHI was actually exposed). You must start moving – but what are your first steps? You need to stop the immediate breach, recover your data, follow the law, bolster your security, and consider hiring an incident response company.
Plug the leak.
The highest priority when you get hacked is to make sure that you have successfully blocked access to the intruders. To better understand what has happened (e.g., how broadly data was accessed, the specific methods used by the attackers, their location, etc.), perform a risk assessment. You want to know the time the hack took place and its duration; whether the attack was due to insiders or outsiders; whether someone on your staff is at fault (whether intentionally or not); and whether electronic protected health data was accessed and/or stolen. Incident response firms can potentially help you through this process, as described below.
Get help with data recovery.
HIPAA compliance requires data backup, as indicated by the US Department of Health & Human Services. Being able to rapidly restore your ePHI via RAID data recovery and other means is important, though, especially given the proliferation of ransomware within healthcare. A strong and credible data recovery company will help you know how well you can restore your information, as well as your data backup integrity, through testing. Data backup stipulations should be within your contingency plan. Responding to a security event relies on well-constructed contingency and data restoration plans, the steps of which can be implemented most effectively through partnership with a data recovery service.
Follow state and federal law.
You must be aware which agencies must be contacted in your state and within the federal government. Since the passing of the Health Information for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA) and was first enforced in 2013, you are responsible for protecting ePHI whether you are a healthcare covered entity (CE) or a business associate (BA) handling health records for a CE. (See more on that law and the HHS’s Breach Notification Rule below.) You need to contact the Office for Civil Rights (OCR) within the HHS no more than 60 days following the hack. As advised by Mahmood Sher-Jan of ID Experts, be aware that regulators may want to see the individual notification messages you send to patients or users – so ensure that those are compliant, too.
The parameters for notifying agencies and people of this incident are outlined in the Breach Notification Rule. First, make sure that the rule applies. The HHS specifically states that the only relevant data for notifications is unsecured protected health information (so you are safe if the data is encrypted and the hacker does not have a key). Once you determine that the data accessed was not properly secured, you want to start preparing notifications for individuals, the HHS, and – under certain circumstances – the media. If a business associate is breached, it only must worry about notifying the relevant covered entity:
HHS – Whenever you experience a hack, you must report it to the Secretary of the HHS through this portal. It is important to contact the agency right away when there is ePHI of more than 500 people involved – within 60 days and “without unreasonable delay,” per the agency. When the number of impacted individuals is lower than 500, you can report annually for the previous year – as long as you do so no more than 60 days into the next year (i.e., February 29 or March 1).
Individuals – A healthcare organization has to send a notice to anyone who was affected by the hack by email (if you have a signed authorization to send these notifications to the person electronically) or first-class mail. When a firm does not have the current contact details for 10 or more people, they need to take alternative means to get the word out by either sending an announcement to the local media (broadcast or print) in areas where the patients or consumers live, or by posting information about the hack on their website homepage within 90 days. A toll-free number should be available and live for at least 90 days, so that affected people can learn basic information about the compromise. If the number of people for which contact information is outdated is lower than 10, the healthcare company can use a different means of alternative contact, such as telephone or another written format.
Media – Finally, you must contact “prominent” media organizations within areas that are home to 500 or more people whose data was exposed. Just the same as the deadline for contacting the HHS for a larger (500+) hack, you have 60 days maximum to make this contact – and it should happen “without unreasonable delay.”
Covered entity – Business associates do not need to be concerned with the above contact parameters since that aspect is handled by the healthcare firm. However, they do need to notify the covered entity that is involved. Regardless of the number of people whose ePHI is exposed, the BA must get official notice of breach discovery to the covered entity within 60 days.
Improve your security to mitigate risks.
When you get hacked, you want to fix whatever the most immediate vulnerability is right away. However, some steps to address risk can wait until you have thwarted the invasion and have sent out notifications as required by law. Having assessed the risk of the applicable environment (above), a comprehensive assessment should be performed, revealing any other risks that exist and what security steps you can take to keep the hack from occurring again.
Consider working with an incident response (IR) firm.
When you experience a hack, it is critical to move quickly, and having help is fundamental. So that you take the right steps in the first two hours and the first 24 hours, contract with a company that specializes in incident response – one aspect of which is data recovery. Through that function, IR specialists can help determine the exact data that was accessed and vulnerable to the attacker, which limits the scope and reduces the set of notifications that must be sent. With an IR firm, you do not need to handle any of the above steps on your own, grappling to determine if a bad actor remains within your network or how to reestablish your defenses. You will not have to think about contacting the attorneys that need to be involved, or which staff members can shut down hacked email accounts. You simply put their details in your incident response plan. They can then get to work immediately.
Responding rapidly to a healthcare hack
If your HIPAA data is hacked, you want to be able to move quickly and confidently. Whether you recover from the attack yourself or work with an outside organization, the process involves mitigating the immediate issue, recovering the data, sending notifications, improving security long-term, and considering an IR partnership. One way or another, it is key that you are prepared for these events and ready for fast movement in response so that the attack does not turn into a string of violations and lawsuits.