California Healthcare News
cahcnews.com
Articles, Jobs and Consultants for the Healthcare Professional
Michael Reph, Account Executive, Parker, Smith & Feek Ryan Roberts, Account Executive, Parker, Smith & Feek

How to Prepare for a Data Breach in Healthcare


By Michael Reph
Account Executive, Parker, Smith & Feek

By Ryan Roberts
Account Executive, Parker, Smith & Feek

See all this Month's Articles

Original Publish Date: June 7, 2016

As the number of data breaches continues to increase, understanding what is classified as secured, how to properly notify the appropriate parties, and what can be counted as an official breach is critical. For healthcare organizations, fiduciary responsibility of personally sensitive information storage is two-fold:

  1. As a covered entity, for employee health plans, and personal data and
  2. For third party liability of patients’ personal data

To ensure proper data breach response preparedness (and to show proper due diligence), your directors and leadership staff should be asking I.T. and key partners the pertinent questions now, before a breach occurs:

Have we ever had system penetration testing done, and have we reviewed the results?

Do we have adequate I.T. security policies in place?

Are we using updated operating systems to help manage electronic medical records?

Who would be working as our forensic team, post-breach?

Do we have a breach response plan in place?

Do we have sufficient cyber/data liability insurance coverage to mitigate the legal, reputational, and credit monitoring costs? And if we don’t carry insurance coverage, will our current finances be sufficient to cover such costs when we have a data breach?

Proper documentation of these internal conversations (via minutes) and actions (i.e. having readily available system penetration testing results and documenting the actions shoring up weaknesses) will help defend the organization in federal and civil lawsuits, post-breach. It is important to note that historical lawsuits have shown that directors are not required to be experts in this area, but that they do need to rely on outside experts or expert internal management for advice when addressing these issues. The Ponemon Institute indicates that 90% of healthcare organizations had exposed their patients' data or had it stolen in 2012 and 2013.

The ever-changing requirements in data breach notification requirements within the various state authorities and the federal law, continued increase in the number and severity of cyber attacks, and increase in the size of federal lawsuit judgments make this an important topic which needs to be addressed by healthcare organizations, both large and small. Partnering with a well-versed risk consultant in either a legal or insurance capacity who understands both the pre and post-cyber breach actions necessary to defend your organization will provide better organizational resiliency when your organization is attacked.

Parker, Smith & Feek is a full service brokerage firm providing commercial insurance, risk management, surety, benefits, and personal insurance solutions. Michael Reph and Ryan Roberts are Account Executives on our Healthcare Practice team. www.psfinc.com