5 steps to take after your practice suffers a data breach

February 10, 2017
John Campanelli
John Campanelli

​Perhaps you thought it would never happen to an office your size, or that you were protected, but it’s happened anyway.

Perhaps you thought it would never happen to an office your size, or that you were protected, but it’s happened anyway: your practice’s computer systems have been compromised and patient protected health information (PHI) may be at risk. Here are five steps to take if your practice experiences such an incident:

1. Call for help

At the first sign of unusual computer activity-frequent crashing, slow servers, files that won’t open-get help. Unless you have a full-time IT pro who’s well-versed in computer forensics and HIPAA regulations, you’re going to need outside experts.

“You’d never recommend do-it-yourself surgery,” says Lee Kim, JD, CISPP, director of privacy and security at the Healthcare Information and Management Systems Society North America. “Retain a consultant that has a forensics background.”

But don’t make the call yourself. Call your attorney instead, and have him or her engage the tech team, says Mark Dill, a longtime HIT professional and principal consultant at TW-Security. 

“If the lawyer formalizes the engagement, the work is oftentimes considered part of attorney-client privilege,” Dill says. That may allow your response to the breach to remain confidential during potential litigation.

 

 

2. Cordon off the scene

Your goal should be the same as that of cops taping off a crime scene: preserving evidence.

Walk away from the computers, says Kimberly B. Holmes, JD, RPLU, senior vice president and counsel with ID Experts. 

“In the panic of an attack, many organizations flounder and forget the need to preserve evidence that shows how far the attackers got,” says Holmes. “They don’t realize that even by exiting out of the system, they may be overwriting logs that exist in servers.

“The cost of the breach is largely going to depend on showing that the attackers did not get into the entire network,” Holmes adds. “Or if they did get into a database, they didn’t run searches or pull data out.”

Failing to preserve evidence that could prove the incident was less severe or affected fewer patients could end up raising the cost of the breach exponentially, Holmes says.

 

 

3. Identify and stop the bleeding

This is the responsibility of your tech experts, but make sure you and your attorney stay informed. Ask your tech professionals for detailed documentation of everything they are doing. 

The IT professionals will be able to find out if your practice fell victim to a phishing scam, malware, viruses or if you’re the target of ransomware. Then they’ll clean up the mess.

To keep the practice running, use a spare computer not connected to your system or even pen and paper, Kim says. 

 

 

4. Assess and report

Determining the scope of the breach is crucial. If it involves the unsecured PHI of 500 or more patients, you’ll have to inform local media, and your practice will be listed on HHS’ website. 

Regardless of the scope, you’ll need to report the breach to HHS and notify affected patients. Work with your privacy or compliance official to make sure you fulfill your obligations. HIPAA audits frequently follow breaches, says Dill, so be prepared.

 

5. Protect from future breaches

No matter the type or size of the breach, the goal is to get back up and running with minimal cost and damage.

That means educating your team on email scams, upgrading your email system to make it more secure, being diligent about your HIPAA risk assessments and having an incident response plan in place.

“Short-term recovery is getting back on your feet, getting back to work,” says Kim. “But there’s also long-term recovery. How do we make sure that this darn thing doesn’t happen again?”