The Cybersecurity Unit of the Department of Justice has released new guidance and breach response best practices to help organizations prepare for security breaches. It is essential that any holder of personal information on consumers knows the correct victim response and how, where and when to report data breaches.
The guidelines are not specifically aimed at the healthcare industry, although they are relevant. Healthcare providers must comply with the HIPAA Breach Notification Rule which demands specific action be taken following a data breach. These are broadly covered by the guidelines; however since there are HIPAA-specific requirements, covered entities (CEs) should also consult OCR guidance.
The DoJ recommends the Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) which it says “provides excellent guidance on risk management planning and policies and merits consideration.” This framework has been adopted by 85% of healthcare providers and can be of great benefit to smaller healthcare organizations.
Under HIPAA, CEs are required to develop breach response policies with an actionable plan that can be put into action immediately following a breach. The Breach Response Best Practice Guide covers this process and details the actions that must be taken, and in which order.
The breach response best practices have been compiled by the DOJ based on the experience the department has gained dealing with cybersecurity breaches, and input was also sought from organizations in both the public and private sector that have been affected by cybersecurity breaches and have had to put their own policies into practice.
It is only at those times that many healthcare organizations realize policies are not particularly workable in practice. The new guide can therefore be used to fine tune policies and procedures to make sure they work in practice and the breach response can be implemented quickly and efficiently.
The guidelines offer advice on preparation for a data breach, what to do when a data breach is discovered and is active and the actions to take afterwards, including some useful do’s and don’ts.
The breach response best practices is aimed at smaller organizations that lack the resources to commit to HIPAA compliance. Since it is clear that security breaches will continue to occur, and in all likelihood with greater frequency, it is essential that all organizations holding PHI, PII or other confidential data know how to respond in case of attack.
The guide tells readers to identify their crown jewels, or the data that requires the greatest level of protection. In the case of most organizations this will be financial data, but also PHI for healthcare providers and insurers.
The main focus is on the breach notification process and what must be done during and after a breach. Time can be critical, so it is essential that all organizations are thoroughly prepared. A fast and efficient response can significantly reduce the damage caused by a healthcare data breach.