Even with a perfect cybersecurity strategy and implementation, including performing all required steps to be HIPAA compliant, your medical practice could still be hacked by cybercriminals.
Doctor’s offices and other businesses who collect private customer information (payment information, addresses, personal health details, and more) to deliver services are regularly targeted by cybercriminals.
In the third quarter of 2018, the Protenus Breach Barometer reported 117 health data breaches with 4.4 million patient records compromised.
It’s important to note that doctors and other healthcare providers aren’t the only businesses that need to comply with HIPAA regulations. Other businesses that work with protected health information (PHI) must also comply with HIPAA privacy requirements. These include businesses such as billing companies, lawyers, and financial consultation services to mention a few. Such companies are usually contracted by covered entities and are known as business associates.
A critical and often overlooked aspect of a cybersecurity strategy is knowing what to do if you do experience a data breach and, secondly, what you can do to regain the trust of your patients. It is best to be prepared and have a strategy for how you will address the incident. An incident response plan provides the steps a business will take if a hacker successfully penetrates their defense, resulting in a medical records breach.
Beyond the legally required steps that covered entities must take, taking the necessary steps to rebuild trust with customers is an equally important component of recovering from a data breach.
Trust: A Key Component for Any Successful Business
People do business with companies they trust. A successful data breach of PHI can cause patients to lose trust in your practice. Once trust is lost, customers often will take their business elsewhere.
A survey by SAP found that “abuse of customer data could cause 80% of consumers to abandon your brand.”
A HIPAA data security breach is a serious matter than can seriously impact any covered entity’s bottom line and longevity.
Report the Breach to Authorities and Explain What Happened to Your Patients
For any covered entity this step is mandatory because it is legally required. For an overview of notification procedures, read How do I report an unsecured Protected Health Information (PHI) Breach?
Any company that experiences a security breach should explain to their customers what happened. This is near-universal advice given for how to handle a breach. Covered entities need to contact affected individuals via First Class Mail or email (if they have permission).
Email is faster and will give affected individuals a better chance to protect themselves from identity theft and other financial harm in a timely manner.
Beyond simply alerting individuals, explaining what happened helps to rebuild trust. Research indicates that honesty and openness is good business. In a study on brand recalls and the effect on customer loyalty by The Relational Capital Group, a link between honesty and continued loyalty was evidenced in two noteworthy findings:
- 91% of consumers agreed that companies make mistakes that lead to product recalls.
- 87% agreed with the statement that they are “more likely to purchase and remain loyal to a company or brand that handles a product recall honorably and responsibly, even though they clearly made mistakes that led to a safety or quality problem.
Have Your Facts Correct
While it is important to contact your patients quickly, a mistake many companies make is to respond too quickly. Move quickly, but thoroughly to investigate the facts of the matter so that you do not over or under-report the number of affected individuals or other details.
Communicate in Plain Language
The healthcare industry uses a lot of jargon and acronyms. Minimize jargon when explaining the data breach to your patients. All communications must be simple, clear, and concise.
Your patients have had their personal information stolen. Now is not the time to use language to “obfuscate” (or in other words, “hide”) what happened and what they should do next.
Healthcare communication often lacks personality and is clinical. When delivering post-op instructions to a patient, it is important to impart the information in a direct, non-emotional manner.
In a data breach, that is typically not the right approach. Tailor your message for your audience and be sympathetic to the additional aggravation the breach of their personal data has caused in their lives.
Share Security Tips and Advice
For covered entities, this is required. For any other business, it is good advice. In your notification to affected individuals, include suggested steps to help them secure their information, such as paying extra attention to fraudulent charges on credit cards, changing passwords, etc.
Get Your Employees Involved
Providing thorough, ongoing information security training for employees is essential. Not all PHI breaches are via cybercriminal hacking attacks. Human error and carelessness can also result in costly HIPAA violations.
Cybersecurity should be an evolving program, requiring continuous tweaking and updating which includes regularly reminding employees of how important a security culture is and training them on the correct procedures.
Medical Record Data Breaches: A Matter of When, Not If
Many companies and cybersecurity professionals believe that hacks are inevitable. Whether because of ingenious hackers, employee errors, a missed patch, or any of a multitude of other reasons, a PHI data breach could happen to you.
Creating a cybersecurity plan in accordance with HIPAA compliance regulations will keep your office as secure as possible. Following the steps and suggested tips in this post will help you keep or regain your patients’ trust if your network is hacked and a PHI breach occurs.
Not sure where to start? We can help. Contact us with any HIPAA compliance questions.