TRENDING:

The Security Scrutinizer with Howard Anderson

A Breach Response Checklist

Steps to Help Ensure HIPAA Breach Rule Compliance Howard Anderson (ismg_editor) • December 9, 2011    

New York Presbyterian Hospital has developed a breach response checklist that others should consider as they create their breach resolution game plans.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Nickie Braxton, compliance and privacy officer at the hospital, outlines the key components of its strategy, which was beefed up following a breach incident:

  • Investigate security incidents immediately;
  • Mitigate potential harm promptly by taking appropriate action, such as removing data exposed on the Internet;
  • Determine whether the breach represents a significant risk of harm to patients and thus must be reported to patients and regulators;
  • Report major breaches (affecting more than 500) promptly to patients, the news media and the Department of Health and Human Services' Office for Civil Rights;
  • Conduct a root cause analysis of why the incident occurred and then take remediation action.
  • Take disciplinary action against anyone responsible for the breach;
  • Educate staff about the issues involved in the breach to help minimize the risk of similar incidents.

Breach Incident

When you have this process documented, it helps you not panic because you already know what you have to do. 

Last year, Columbia University Medical Center, one of two medical centers that are part of the New York-Presbyterian Hospital organization, reported a security breach may have exposed information about 6,800 patients on the Internet. "The information was inadvertently exposed on a web page, and as soon as this error was discovered, we made sure that the web page was removed," according to a hospital statement (see: New York Hospital Reports Internet Breach).

Without discussing details of the incident, Braxton noted during a presentation at the American Conference Institute's Healthcare Information Privacy & Security Forum in Philadelphia that the breach resolution process she outlined covers the expectations of the HHS Office for Civil Rights for complying with the HIPAA breach notification rule. OCR staff investigating the breach emphasized, for example, the importance of disciplining staff responsible for a breach, she pointed out.

Also at the conference, Dawn Morgenstern of the Walgreens drugstore chain stressed the need to carefully document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs. "When you have this process documented, it helps you not panic because you already know what you have to do," she said.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Capturing ROI on Your Unified Endpoint Management Investment
Capturing ROI on Your Unified Endpoint Management Investment
Life as a 'Virtual CISO'
Life as a 'Virtual CISO'
The Rise of Security-Driven Networking
The Rise of Security-Driven Networking
DeepDotWeb Goes Dark
DeepDotWeb Goes Dark
Minimizing Cloud Security Risks
Minimizing Cloud Security Risks
Safeguarding PHI in Healthcare Apps: Critical Steps
Safeguarding PHI in Healthcare Apps: Critical Steps
WhatsApp Exploit Reveals 'Legalized Hacking' at Work
WhatsApp Exploit Reveals 'Legalized Hacking' at Work
WhatsApp's Spyware Problem
WhatsApp's Spyware Problem
The Impact of Localization on Cloud Service Providers
The Impact of Localization on Cloud Service Providers
Tips on Tackling Medical Device Cybersecurity Challenges
Tips on Tackling Medical Device Cybersecurity Challenges

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.