My clinic data has been breached. What do I do now? Four critical steps.

Part 6 of our series on Privacy and Data Security Best Practices.

I have just returned from the IAPP/ISACA KnowledgeNet conference in Vancouver this week, where the focus of the afternoon was on Privacy & Security in Healthcare. Some interesting facts arose from the forum:

  • The cyber security threat targeting healthcare information systems is real and is dynamically changing. Hackers are changing attack campaign strategies on a weekly and even daily basis.
  • It is no longer a question of whether your clinic or healthcare organization is going to be attacked by hackers, but how often.
  • If broken into, 60% of data is stolen within hours.
  • 80% of breaches remain undetected for months.
  • Malware and Ransomware are continuing to evolve. New and stealthier versions frequently bypass antivirus software.

So, let’s assume the worst.  You have walked into your clinic in the morning and found you could not access your EMR due to ransomware.  Unfortunately, this is not a hypothetical risk. Or, as an example, imagine that you have received a call from a patient who has discovered his confidential health information has been made available to someone who should never have accessed it, and he is certain your clinic provided it.

What to do?

Let’s begin by saying that, before any of this happens, make sure you have a plan to deal with it before it occurs.  Once you are hit with a breach, this is not the time to be looking for a plan or to begin making one up as you go. The SANS Institute strongly recommends that you be well prepared to handle this situation at a moment’s notice.

According to the Office of the Information and Privacy Commissioner of BC (OIPC), a privacy breach occurs anytime there is unauthorized access to or collection, use, disclosure or disposal of personal information.  What is unauthorized?  In British Columbia, this means any activity that occurs in contravention of the Personal Information Protection Act (PIPA) or part 3 of the Freedom of Information and Protection of Privacy Act (FIPPA). While cybersecurity threats are a very real danger, the most common privacy breach occurs when personal information of patients or staff is stolen, lost or mistakenly disclosed. This might include, for example, if a computer containing personal information is stolen or personal information is emailed to the wrong individual.

Doctors of BC, the OIPC and the College of Physicians and Surgeons of BC, have published a four-step guide to deal with breaches, called “Responding to a Privacy Breach – Key Steps for Physicians“.  More recently, the OIPC has published some very helpful resources on what to do when responding to a breach, including “Privacy Breaches: Tools and Resources“. Both documents focus on four key steps:

  1. Contain the breach. Take immediate action to limit the breach. In the case of ransomware, The Doctors Technology Office (DTO) at Doctors of BC has an excellent technical bulletin that may be of help. Additional resources such as the site managed by two European police agencies, Intel and Kaspersky called No More Ransom, and ID Experts ebook called What to do when your data is held hostage, may also be useful. For example, disconnect affected system(s) from the clinic network and the Internet, but don’t power them down.  That could make matters worse. Instead, get expert technical advice.
  2. Evaluate the risks. Other immediate steps may be needed. It is essential to determine what personal information was involved, the cause and extent of the breach,  who and how many individuals were affected by the breach, and what foreseeable harm might arise from it.
  3. Notification.  It is important to notify affected individuals if it is necessary to avoid harm or mitigate harm to them. Equally important is to know when, and how to notify them, as well as who else should be contacted. Make sure to read the OIPC’s recommendations in the document above, on what you should consider when determining whether to notify individuals affected by the breach.
  4. Prevention. Once immediate steps have been taken to mitigate risks, it is vital to thoroughly investigate the cause of the breach. This may require a detailed physical and technical security audit.  Doing this will help you to develop or improve whatever is necessary to safeguard data going forward.

The OIPC Tools and Resources document also contains a checklist we would suggest placing in your clinic policy and procedures manual, in case it is necessary to respond to a breach in your clinic.  The checklist will help you to decide whether or not to report a breach to the OIPC.  In general, reporting to the OIPC should be considered:

  • If the personal information is sensitive
  • If there is a risk of identity theft or other harm, including pain or suffering or loss of reputation
  • A large number of people are affected by the breach
  • The information has not been fully recovered
  • A similar breach has taken place before, or if it was the result of a systematic problem
  • Your clinic needs assistance in responding to the privacy breach
  • You want to ensure steps taken comply with your clinic’s obligations under privacy legislation.

Legal note to all of the above: This is intended for general information only. It is not intended to provide legal or other advice.  The key message here is: make sure you have policies and procedures in place that will help you to recover from a privacy breach, before it occurs.

Here are some additional best practice resources you can use to be proactively prepared:

If you need assistance, contact us.