Original Publish Date: June 7, 2016
As the number of data breaches continues to increase, understanding what is classified as secured, how to properly notify the appropriate parties, and what can be counted as an official breach is critical. For healthcare organizations, fiduciary responsibility of personally sensitive information storage is two-fold:
To ensure proper data breach response preparedness (and to show proper due diligence), your directors and leadership staff should be asking I.T. and key partners the pertinent questions now, before a breach occurs:
Have we ever had system penetration testing done, and have we reviewed the results?
Do we have adequate I.T. security policies in place?
Are we using updated operating systems to help manage electronic medical records?
Who would be working as our forensic team, post-breach?
Do we have a breach response plan in place?
Do we have sufficient cyber/data liability insurance coverage to mitigate the legal, reputational, and credit monitoring costs? And if we don’t carry insurance coverage, will our current finances be sufficient to cover such costs when we have a data breach?
Proper documentation of these internal conversations (via minutes) and actions (i.e. having readily available system penetration testing results and documenting the actions shoring up weaknesses) will help defend the organization in federal and civil lawsuits, post-breach. It is important to note that historical lawsuits have shown that directors are not required to be experts in this area, but that they do need to rely on outside experts or expert internal management for advice when addressing these issues. The Ponemon Institute indicates that 90% of healthcare organizations had exposed their patients' data or had it stolen in 2012 and 2013.
The ever-changing requirements in data breach notification requirements within the various state authorities and the federal law, continued increase in the number and severity of cyber attacks, and increase in the size of federal lawsuit judgments make this an important topic which needs to be addressed by healthcare organizations, both large and small. Partnering with a well-versed risk consultant in either a legal or insurance capacity who understands both the pre and post-cyber breach actions necessary to defend your organization will provide better organizational resiliency when your organization is attacked.
Parker, Smith & Feek is a full service brokerage firm providing commercial insurance, risk management, surety, benefits, and personal insurance solutions. Michael Reph and Ryan Roberts are Account Executives on our Healthcare Practice team. www.psfinc.com