Lack of readiness and a hunger for personal health data on the black market makes hospitals and doctors’ offices soft, fat targets for cyber crimes and extortion. For those in the healthcare industry, a data breach isn’t just a possibility. It’s practically inevitable. Data breaches are spiking dramatically, and yet healthcare providers are lagging significantly compared to other industry segments when it comes to readiness.
Healthcare providers average a paltry 6% of their information technology budget expenditures on security, according to “ 2016 HIMSS Analytics Healthcare IT Security and Risk Management Study,” from security firm Symantec and HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society. Compare that to financial and banking institutions, which spend 12% to 15%, and the federal government, which spends 16% of its IT budget on security.
That lack of readiness, combined with the fact that personal health information currently is much more valuable than credit card information on the black market, makes healthcare providers soft, fat targets for cyber attacks and blackmail. It’s no wonder that more than 40% of breaches happen in the medical and healthcare industries, compared to a combined 35% for other businesses. Banking, credit card and financial services combined account for less than 4%; education about 10%, and government and military about 10%, according to the Identity Theft Resource Center.
Surprised? Get over it and get on with it.
Communication is Crucial to Surviving Cyber Attacks
If you are a hospital chief executive, you have a legal and ethical obligation to report and communicate details of a data breach with a variety of entities. That means — before disaster strikes — you need:
- A crisis communications plan
- A crisis communications leader and designated cross-functional team
- A crisis communications method, complete with contact details for team members
Beyond the regulatory requirements, there’s a real urgency to get this right. If handled inappropriately, the impact of a cyber attack or data breach can be devastating. Beyond the damage to individual patients, almost a third of whom will seek a new healthcare provider in the event of a breach, careers and shareholder value can be destroyed.
Get legal involved as soon as possible to guide you through the details and obligations of your response. In addition to internal legal staff, it’s a good idea to consult with a specialist. Consider retaining a healthcare data breach lawyer.
In an ideal world, you would have done this ahead before the incident and war gamed responses to a variety of scenarios and created an incident response plan. Those incident response plans need to be reviewed and revised periodically, too, so that your team knows your policies and procedures, as well as their individual roles and responsibilities.
Inform Your Customers
Assuming that technical responses have been completed, and that you have determined that you are legally and/or ethically required to do so, your next task will be to advise those customers who have been affected by the breach.
This is easier said than done and typically requires input from your legal and marketing/public relations departments to craft appropriate messages and deliver them through multiple channels, likely a combination of paper mail, web and social media notifications, and call center support. Don’t forget that you probably will need to offer these same communications in multiple languages.
Striking the right tone is important. In general, you should strive to be straightforward and direct in describing what happened, what you are doing to prevent such an occurrence in the future, and what opportunities or remedies are available to those impacted, such as identity theft protection, etc.
Inform Your Regulators
Within 60 days of discovering the incident, you’ll need to inform the Secretary of Health and Human Services and also the Federal Trade Commission. Depending on the details surrounding your data breach, you also may need to notify the Attorney General, Medicare, Medicaid, state regulators and the Department of Homeland Security. It’s best to create your list before your need it and discuss your potential obligations with legal.
Inform the Media
If more than 500 residents of a single state or jurisdiction are impacted by your breach, you will need to create and distribute a press release no later than 60 days following your discovery of the breach, and it must include the same information required for the individual notices. Again, striking the right tone while including the relevant details is important, and you will want to discuss this thoroughly with legal and marketing/public relations so as to not make a bad situation worse.
Inform Your Business Partners and Other Shareholders
If your breach potentially impacts your business associates, you potentially have a legal or ethical obligation to alert them no later than 60 days from discovering it, and communicating the same relevant details you offered affected customers.
Just as every company and cyber crime are different, so will be competent professional responses. One of the best ways to prepare your communications plan is to “war game” it beforehand, considering the impact, likely chain of events, and the resources necessary to save the day, your customers’ peace of mind, and maybe your career.