We know the cybersecurity landscape will continue to evolve in 2019. Attacks will become more sophisticated, and Protected Health Information (PHI) will remain vulnerable (and valuable) to cybercriminals. When a clinic faces a data breach, putting out the fire is just the beginning of a lengthy, painful, and costly journey — especially if the breach involves HIA, PIPEDA or HIPAA violations. According to IBM Security, healthcare data breach costs are the highest of any industry at an average $408 per record. This list of what to expect after a privacy breach sheds light on why privacy breaches get so costly, so quickly.
1. Time and Effort Identifying Vulnerabilities
Determine where the breach originated from and take steps to isolate the issue. Ask yourself: Who is responsible for the breach? What data was stolen, misused, or inappropriately disclosed? Is the entire network infiltrated? How did my security measures fail? When did it happen?
2. Assess and Address Risks
Once the breach is under control, it’s critical to correct technical issues, as well as test other areas that may be vulnerable. To safeguard patient data, complete a comprehensive risk analysis and action plan that includes reformatting infected devices, restoring data from clean backups, updating passwords, managing network access, etc. In many jurisdictions, a large part of addressing the risk is paying for two years of identity monitoring for affected patients.
3. Emergency IT Support
Your IT support will likely be heavily engaged in breach responses that involve the loss of digital information or an infiltration of your network. You’ll need them on site to contain the breach, detect security failings, and implement sound security measures.
4. Reporting the Breach by Notifying Appropriate Parties
Mandatory breach notification requirements are enforced under HIA, PIPEDA, and HIPAA. Notifications to regulatory bodies, and any patients involved must be provided in a timely manner.
5. Regulatory Penalties
Often privacy breaches come with regulatory fines and lawsuits from angry patients. Violating the regulations (failure to take required steps to protect patient data in your clinic, or to report any breach appropriately) can result in significant fines of up to $100,000 before legal fees.
6. Reputational Recovery
Patients you have to inform about a loss of their information are likely to tell friends and neighbours. Crisis communications fees can add up quickly as you’ll need expert support to manage the message and reduce the damage of informing the community your clinic failed to protect patient information.
7. Clinic Downtime
In the event of a system wide breach in your clinic such as a ransomware attack, your clinic will likely be inoperable while you address the issue. In these cases, you may not even be able to notify patients their appointment is canceled. Clinic downtime from a ransomware attack can range from a couple of days to weeks, or even forever.
Mitigate Risk and Protect your Practice with Brightsquid
As a healthcare provider, you’re an expert in patient care, not the security of patient data. A data breach can be devastating, and the process of recovery requires a lot of intricate details that mustn’t be ignored. Luckily, Brightsquid’s privacy professionals are here to help protect your practice with Brightsquid Protect. Our complete compliance package includes a comprehensive suite of privacy services including writing or updating your Privacy Impact Assessment (PIA), providing on-demand support through our hotline, conducting training for new staff, and advising on regulatory changes and updates. You’ll also receive access to the Brightsquid Secure-Mail platform, which enables safe and compliant two-way communication with patients and other providers, and our Cyber Insurance, which offers $500,000 Coverage for expenses, costs, and fines incurred during and after a ransomware attack not typically covered by practice insurance. To learn more about Brightsquid Protect,contact crystal.w@brightsquid.com.