Best Practices for Security Incident Reporting in Healthcare
Streamlined incident reporting could help the healthcare industry improve its abysmal external security posture.
A recent cross-industry study from Coalfire Labs has revealed that healthcare firms consistently rank at the bottom of the barrel when it comes to external security posture.
It’s bad news, to be sure — but not unexpected. Last year’s wave of ransomware attacks targeting large hospitals revealed just how vulnerable many of these organizations are. Given the sensitive nature of the information they’re responsible for protecting, it’s vital that healthcare organizations find ways to improve upon their security failings.
Those who do not learn from history are doomed to repeat it. And until healthcare organizations invest in robust security incident reporting processes, they’ll be unable to adequately bridge their sizeable security gaps. Additionally, healthcare firms must report incidents based on the HIPAA Breach Notification Rule, state laws, and, in some cases, business associate agreements.
HIPAA allows up to 60 days to report breaches of 500 or more patients, but state laws and contracts often impose more stringent guidelines. Because the process from initial discovery to validation to remediation to recovery can be enormously time-consuming, a streamlined reporting process can keep healthcare organizations secure from hackers and from legal liability.
Building a Tiered Reporting Process
One solution that healthcare organizations could consider is that of an “umbrella” reporting process designed to quickly alert those authorized to diagnose and respond to security incidents. Employing separate reporting processes for security, privacy, technical, and non-technical issues slows response times and complicates workforce training.
HIPAA defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
HIPAA requires healthcare entities to report breaches of health information, but of course, these policies assume that the organization is aware that the incident has occurred, which is not always the case. Thus, any proper incident management procedure must include the reporting of suspected incidents — not just confirmed ones — as a very first step.
Just as all suspected incidents can’t accurately be called “incidents,” not all incidents can necessarily be considered breaches. HIPAA’s Omnibus Rule defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by HIPAA guidelines].” This rule also details a set of exclusions to the term “breach.”
Even experienced compliance teams may find it difficult to discern when an incident can be considered a breach, which is why healthcare organizations should appoint a small team of authorized individuals to determine when one has truly occurred. Use of the term “breach” prior to confirmation of an incident’s breach status can incite alarm, so prior to review by the appointed team, it’s important to continue referring to the potential breach as an “event” or “incident.”
Breaking Down Reporting Barriers
Incident reporting processes can benefit from an anonymous hotline, through which employees can report potential breaches or suspected incidents without fear of identification or retribution. Such hotlines tend to increase the frequency of security incident reports while driving greater awareness across your organization of security threats and risk factors.
In order for a hotline to truly benefit your organization, however, employees must be thoroughly trained in how to recognize and report issues. Over time, a hotline and well-trained workforce should together drive a notable reduction in the severity and frequency of incidents.
The Value of a Trusted Cybersecurity Partner
As I’ve just described, the easiest way to improve your healthcare organization’s security posture is by implementing a streamlined reporting process. And perhaps the simplest and fastest way to do that is to partner with the experienced professionals at Turn-key Technologies (TTI).
At the end of the day, implementing a truly successful security incident reporting process requires an in-depth understanding of cybersecurity as a whole. And with years of experience securing hospitals against events of all severity levels, the TTI team is equipped with the knowledge and expertise required to do just that.