TRENDING:

The Security Scrutinizer with Howard Anderson

A Breach Response Checklist

Steps to Help Ensure HIPAA Breach Rule Compliance Howard Anderson (ismg_editor) • December 9, 2011    

New York Presbyterian Hospital has developed a breach response checklist that others should consider as they create their breach resolution game plans.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

Nickie Braxton, compliance and privacy officer at the hospital, outlines the key components of its strategy, which was beefed up following a breach incident:

  • Investigate security incidents immediately;
  • Mitigate potential harm promptly by taking appropriate action, such as removing data exposed on the Internet;
  • Determine whether the breach represents a significant risk of harm to patients and thus must be reported to patients and regulators;
  • Report major breaches (affecting more than 500) promptly to patients, the news media and the Department of Health and Human Services' Office for Civil Rights;
  • Conduct a root cause analysis of why the incident occurred and then take remediation action.
  • Take disciplinary action against anyone responsible for the breach;
  • Educate staff about the issues involved in the breach to help minimize the risk of similar incidents.

Breach Incident

When you have this process documented, it helps you not panic because you already know what you have to do. 

Last year, Columbia University Medical Center, one of two medical centers that are part of the New York-Presbyterian Hospital organization, reported a security breach may have exposed information about 6,800 patients on the Internet. "The information was inadvertently exposed on a web page, and as soon as this error was discovered, we made sure that the web page was removed," according to a hospital statement (see: New York Hospital Reports Internet Breach).

Without discussing details of the incident, Braxton noted during a presentation at the American Conference Institute's Healthcare Information Privacy & Security Forum in Philadelphia that the breach resolution process she outlined covers the expectations of the HHS Office for Civil Rights for complying with the HIPAA breach notification rule. OCR staff investigating the breach emphasized, for example, the importance of disciplining staff responsible for a breach, she pointed out.

Also at the conference, Dawn Morgenstern of the Walgreens drugstore chain stressed the need to carefully document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs. "When you have this process documented, it helps you not panic because you already know what you have to do," she said.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

The Risks Posed by Mobile Health Apps
The Risks Posed by Mobile Health Apps
Analysis: Is Chinese Database Exposure a Cause for Concern?
Analysis: Is Chinese Database Exposure a Cause for Concern?
Ransomware Gangs Find Fresh Ways to Make Victims Pay
Ransomware Gangs Find Fresh Ways to Make Victims Pay
How Organizations Can Leverage SASE
How Organizations Can Leverage SASE
Fed Studies Development of Digital Dollar
Fed Studies Development of Digital Dollar
Equifax Breach: CISO Describes Lessons Learned
Equifax Breach: CISO Describes Lessons Learned
Privacy Framework Proposed to Address HIPAA Gaps
Privacy Framework Proposed to Address HIPAA Gaps
Using Tech to Prevent Fraud in Government Loan Program
Using Tech to Prevent Fraud in Government Loan Program
Key Considerations for Privileged Access Management
Key Considerations for Privileged Access Management
Price Is Right: When Insiders Are Willing to Violate HIPAA
Price Is Right: When Insiders Are Willing to Violate HIPAA

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.