Dealing with a health data breach: 5 lessons learned firsthand
Health data breaches are on the rise, and organizations must not only take greater steps to protect patients’ information, but they also must be prepared to respond if an incident does occur. Here are some lessons learned by an organization that was recently the victim of a health data breach.
Micky Tripathi, president and CEO of the Massachusetts eHealth Collaborative (MAeHC), recently detailed in a blog post his organization’s experience in dealing with a big data breach.
Last year, a laptop containing sensitive data was stolen from an employee’s car. The information on the machine included health information for more than 14,000 patients from 18 different medical practices.
The laptop and the files containing the data were password-protected, but the data wasn’t encrypted.
In response to the theft, MAeHC notified affected individuals and law enforcement authorities, and offered credit monitoring services to the potential fraud victims. The total cost of cleaning up after the incident was close to $300,000, according to Tripathi, plus soft costs such as missed opportunities and damaged reputation.
Tripathi described the lessons his and other organizations can learn from this health data breach, including:
1. Perform a self-assessment on security — Do the individuals working with patient data in your organization have the training and technology to do their jobs securely? Go through the various workflows involving sensitive data and determine if there’s currently any point during which the information is unprotected.
2. Assume portable devices have patient data – While many EHR systems are designed to hold data on a central server, rather than on an individual laptop, copies of the data are often saved to the local machine temporarily or sometimes permanently. In the MAeHC incident, the laptop held error log files which included copies of the patient data. Protect all portable devices — for example, by encrypting them.
3. Know how third-parties handle sensitive data – MAeHC is a contractor that works with providers to implement health IT. But even though the breach was a contractor’s fault, that didn’t make the affected practices immune from legal repercussions and other damages.
4. Have a breach response plan – Tripathi says after the breach occurred, MAeHC approached the problem like any other complex project — by developing a written project plan and taking it one step at a time. Having a plan in place will help avoid panic or delays in action while the organization figures out what to do.
5. Keep a daily log of breach response activities – Having a log will come in handy if there are ever any questions about how the breach was handled — for example, if someone wants to know why they weren’t notified sooner than they were.
No related posts.
Below are a few free resources you may find useful.