TRENDING:

The Security Scrutinizer with Howard Anderson

A Breach Response Checklist

Steps to Help Ensure HIPAA Breach Rule Compliance Howard Anderson (ismg_editor) • December 9, 2011    

New York Presbyterian Hospital has developed a breach response checklist that others should consider as they create their breach resolution game plans.

See Also: Live Webinar | Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

Nickie Braxton, compliance and privacy officer at the hospital, outlines the key components of its strategy, which was beefed up following a breach incident:

  • Investigate security incidents immediately;
  • Mitigate potential harm promptly by taking appropriate action, such as removing data exposed on the Internet;
  • Determine whether the breach represents a significant risk of harm to patients and thus must be reported to patients and regulators;
  • Report major breaches (affecting more than 500) promptly to patients, the news media and the Department of Health and Human Services' Office for Civil Rights;
  • Conduct a root cause analysis of why the incident occurred and then take remediation action.
  • Take disciplinary action against anyone responsible for the breach;
  • Educate staff about the issues involved in the breach to help minimize the risk of similar incidents.

Breach Incident

When you have this process documented, it helps you not panic because you already know what you have to do. 

Last year, Columbia University Medical Center, one of two medical centers that are part of the New York-Presbyterian Hospital organization, reported a security breach may have exposed information about 6,800 patients on the Internet. "The information was inadvertently exposed on a web page, and as soon as this error was discovered, we made sure that the web page was removed," according to a hospital statement (see: New York Hospital Reports Internet Breach).

Without discussing details of the incident, Braxton noted during a presentation at the American Conference Institute's Healthcare Information Privacy & Security Forum in Philadelphia that the breach resolution process she outlined covers the expectations of the HHS Office for Civil Rights for complying with the HIPAA breach notification rule. OCR staff investigating the breach emphasized, for example, the importance of disciplining staff responsible for a breach, she pointed out.

Also at the conference, Dawn Morgenstern of the Walgreens drugstore chain stressed the need to carefully document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs. "When you have this process documented, it helps you not panic because you already know what you have to do," she said.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Will Cyberattacks Lead to Prolonged Conflicts?
Will Cyberattacks Lead to Prolonged Conflicts?
Legal Implications of the AMCA Data Breach
Legal Implications of the AMCA Data Breach
Battling Supply Chain Security Risks
Battling Supply Chain Security Risks
Tesla Vulnerability: A Bounty Hunter's Tale
Tesla Vulnerability: A Bounty Hunter's Tale
How Deception Technology Is Evolving
How Deception Technology Is Evolving
The Future SOC: Harmonizing Detection and Response
The Future SOC: Harmonizing Detection and Response
Huawei Policy: Why India Must Chart Its Own Path
Huawei Policy: Why India Must Chart Its Own Path
Analysis: The Significance of GDPR Fines
Analysis: The Significance of GDPR Fines
John Halamka: Mitigating Medical Device Security Risks
John Halamka: Mitigating Medical Device Security Risks
Proactive Mobile Threat Defense
Proactive Mobile Threat Defense

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.