Data breaches have long been a nuisance for many industries, including healthcare and financial services.
In the age of our current public health crisis, HIPAA-covered entities must follow all reasonable safeguards to protect the privacy of their patients who may be infected with the novel coronavirus (COVID-19). However, the HIPAA Privacy Rule does offer some accommodations in such cases.
Business owners need to be prepared, and should always have a plan in place should a worse-case scenario occur. One method of preparation is to understand what is a Breach Risk Analysis.
In this blog, we will give tips on how to plan for a data breach and what to do when one occurs.
Got breached? Implement a four-step plan
A data breach occurs when sensitive information about an individual is lost, stolen, hacked, or inappropriately disclosed. Any time an organization suspects that one of these incidents has occurred, it should immediately perform a Breach Risk Analysis.
This analysis can be conducted by implementing this four-step plan:
- Determine what type of data was involved
- Determine which person or organization the data was stolen by or disclosed to
- Determine if the person or organization acquired or viewed the data
- Document mitigating actions that were taken by the organization.
Let's stay a closer look at each step.
Determine the type of data that was stolen
The first step the organization should take is to examine the type of data that was involved in a breach. This step is crucial, as it helps the organization understand the significance of the data that may have been exposed.
Even if the information breached seems minimal, it needs to be determined if information about an individual can be reconstructed.
If the breached data is found to contain sensitive information, such as client names, dates of birth, and social security numbers, the organization may have to enact extra services like extending credit reporting to the affected individuals.
Determine which person or organization the data was stolen by or disclosed to
This step allows the organization to understand the parties involved in the breach and their responsibilities and motivations as it related to the exposed data.
For example, if a healthcare organization accidentally discloses Protected Health Information to another healthcare organization, that healthcare organization is still bound by HIPAA rules to protect the privacy and security of that patient data. However, if the same patient information is inadvertently disclosed to a private business or individual, the obligation to protect data is not in place.
If the data is found to be accessed by criminals, such as hackers, the organization must assume more nefarious attentions.
Hackers are more likely to sell data so crimes like fraud or identity theft are likely committed. Anytime sensitive data is accessed by hackers or criminals, the organization should consider involving legal representation and law enforcement.
Determining if the person or organization acquired or viewed the data
This difficult but necessary step allows an organization to determine if sensitive information was actually viewed by a unauthorized third party.
Therefore, if the data breach involved something like spyware or ransomware, the organization must perform a forensic analysis to ascertain if not only information was viewed, but also ex-filtrated.
Other instances of breaches may involve sensitive information being sent to the wrong party, such as an errant fax or email. In these instances, it is important for the organization to confirm that the recipient has properly disposed of the sensitive information.
Document mitigating actions made
Organizations should not wait until the level of exposure from a breach is determined before they start performing mitigating actions. If the breach had a technical aspect, such as ransomware, the organization must document actions such as restoring backups, removing malicious software, and any forensic analysis that was performed.
If the breach involved improper disclosure, the organization should document that the data was properly disposed of by the third party.
Organizations will always be at risk for data breaches. The best step they can take is to be prepared for when this happens, not if.
It is always a best practice to have a breach response plan in place, and any organization can put one together by incorporating the four steps described in this blog.