Healthcare News & Insights

10 steps to take after a data breach

Protecting patients’ health information involves not only preventing security breaches, but also planning properly for how to respond if a breach occurs. Here are 10 steps organizations must take following a health data breach. 

While there are some steps healthcare organizations can take to limit the risk of a data breach, not all incidents are preventable. That’s why a thorough breach response plan is essential for all organizations that hold personal health information.

Responding properly will help lower patients’ risk of becoming victims of fraud – as well as limit the organization’s risk of fines and other legal trouble.

Here are ten critical steps to take after a data breach, according to security vendor ID Experts:

1. Assemble an incident response team — Members of the team should be chosen when the response plan is developed — and organizations must make sure they update the list of who’s involved as people change jobs. This team must meet immediately after a breach is discovered to determine appropriate actions.

2. Confirm priorities — When the team meets, reiterate what the group is trying to accomplish, including preventing harm to patients, protecting the organization’s reputation, preventing loss of revenue and avoiding fines.

3. Contain the leak and fix the underlying vulnerabilities — If the organization’s network was hacked, for example, make sure the attackers’ point of entry is closed so that no further information is stolen.

4. Engage pre-selected external partners — That means contacting legal counsel, victim protection services, and parties to assist with a Department of Health and Human Services investigation.

5. Conduct an incident risk assessment — Organizations need to investigate the incident and determine the risks faced by affected patients, as well as determine whether the incident qualifies as a reportable breach (find more information here).

6. Notify customers, regulators and other parties as required by law — Doing so quickly helps not only with meeting compliance requirements, but also any delay will make it harder to retain patients’ trust.

7. Set up a call center — Once patients are notified, the most important thing an organization can do is give them a person to contact with questions and concerns. A call center can be set up with in-house resources or outside help.

8. Review federal and state legal requirements — In addition to the HITECH Act, healthcare organizations may be subject to requirements from state laws for responding to a data breach.

9. Make sure all federal and state agencies are notified — As part of a breach response plan, organizations should have references ready explaining what information those agencies need.

10. Prepare for an investigation — That includes having documentation of the organization’s incident assessment and what steps were taken in response to the breach.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.