Data breach compliance after Uber: Avoiding scandal

By Bethany A. Corbin, JD

Bethany A. Corbin (bcorbin@wileyrein.com) is an attorney at Wiley Rein, LLP in Washington, DC and focuses her practice on healthcare, privacy, and cybersecurity.

Like the latest installment of the Star Wars saga, data breaches are highly anticipated, command strong media attention, and can impact the lives of millions of consumers. From Anthem Blue Cross to Banner Health to Equifax, security-related incidents have dominated headlines and remain a top concern for businesses in 2018. In a survey of more than 15,000 chief information security officers (CISOs), the Ponemon Institute found that 67% of CISOs believed their companies would likely experience a cyberattack or data breach this year, with 60% noting that their concern has increased since 2017.[1] ,[2]

Healthcare entities in particular are prime targets for data breaches, given the sensitive information contained in medical records. From January to June 2017, hackers accessed almost 1.6 million patient records, and insider wrongdoing further exposed another 1.17 million patient records.[3] Failure to appropriately secure data and implement timely responses and notification measures for breaches can expose healthcare organizations to reputational damage, investigative inquiries, and civil liability. Given the organizational risks associated with data breaches, it is unsurprising that the term conjures images of fear for both companies and consumers, much like the Star Wars Death Star inspired dread throughout space civilizations.

The inevitability of data breaches has forced companies to question their prevention and response strategies — particularly in light of Uber’s recent data breach scandal. Although the popular press has taken issue with Uber’s failure to follow data breach notification laws, adherence to such laws alone will not ensure a culture of compliance — especially in the healthcare industry. Rather, an effective compliance response to healthcare data breaches must begin before a breach occurs and continue after the breach is contained. Breach notification is an important aspect of compliance, but contrary to widely held belief, it should not dominate the compliance and investigative process. Instead, organizations must focus on identifying, containing, and remedying the breach as top priorities. This article proposes three compliance strategies for healthcare entities to employ before, during, and after a data breach to help avoid becoming the next Uber.

Before a data breach

Knowing what kinds of protected information your organization handles, where it is stored, and who handles it and why (both in-house and with vendors) is key to keeping that data safe. An incident response plan will help you respond effectively to a possible threat.

Inventory and monitor protected health information

If your organization collects, maintains, or uses protected health information (PHI) (as that term is defined by the Health Insurance Portability and Accountability Act [HIPAA] and relevant state law), you should review and analyze your information systems to identify where your company stores PHI and other sensitive data.[4] An inventory of protected information can help confirm your compliance with state and federal laws. This inventory should provide a complete summary of every element of PHI that your organization possesses — in both paper or electronic format. An easy way to begin the inventory is to follow the path of PHI through your organization from the time a patient contacts your organization until the final claim is paid, accounting for each person and system that handles PHI. Consider documenting the types of PHI and sensitive information that your organization maintains and how this data is kept secure. By understanding the flow of sensitive data, your organization can respond faster to a breach and will have an immediate sense of whether the system hack involved sensitive information. Following this inventory, you should continue to review and update your information systems, and monitor for PHI and data leakage or loss.

Develop an incident response plan and risk mitigation strategy

An incident response plan (IRP) is a key organizational document that converts knowledge into a step-by-step actionable framework for use during a data breach. In essence, the IRP should be a written data breach response policy that identifies the appropriate individuals to contact during a breach, sets forth required documentation efforts, and highlights response strategies. Legal standards, including breach notification requirements, should also be incorporated into this document.

Consider identifying the appropriate incident response team in the IRP, which may include the chief privacy officer, general counsel, administrators, IT professionals, and risk management representatives. The individuals on the team should be empowered to react to a data breach, and should receive applicable training on data breach response and mitigation. Further, your IRP should specify incident handling procedures and should ensure that all employees know how to timely report data breaches. Ensuring effective internal communication is key during a data breach, and each employee should be reminded of the time sensitivities associated with compromised PHI. When they occur, data breaches are stressful events, and the creation of a well-executed IRP can minimize the impact and uncertainty associated with a breach.

Assess and understand vendor vulnerabilities

In the age of outsourcing, most healthcare organizations rely heavily on approved vendors to conduct certain business operations. As the Health Information Technology for Economic and Clinical Health (HITECH) Act made clear, business associates that work for covered entities and have access to PHI must comply with HIPAA. The HITECH Act expanded liability for both business associates and covered entities in the event of a breach, and covered entities may be liable for breaches that occur within the vendor organization.

Accordingly, it is crucial that covered entities understand their legal and compliance obligations with respect to vendors. Indeed, the Equifax hack recently exposed theoretical healthcare vendor vulnerabilities.[5] Equifax operates as a financial verification vendor to the Department of Health and Human Services for enrollees under the Affordable Care Act. Equifax’s marketplace exchange data was not implicated in the breach, but it serves as a cautionary tale of how vendors can leave covered entities vulnerable to attack. Healthcare data breaches premised on vendor vulnerabilities are increasingly common, and data sharing with third parties is perceived as one of the biggest vulnerabilities for healthcare providers. Thus, covered entities should attempt (to the best of their ability) to actively monitor their vendor’s privacy and security compliance, and ensure that effective and clear lines of communication exist for vendors to report data breaches to the covered entity.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings