An article in For the Record magazine
entitled "Call In the Reinforcements" discussed what
healthcare organizations must do to be prepared to respond in the
event they suffer a data breach. Day Pitney's Jim Bowers and
Eric Fader were quoted in the article, which was published in
December 2016 but not discussed on this blog until now.
Jim noted that many organizations may not be able to immediately
detect and respond to data breaches. "The health industry is
subjected to a plethora of data breaches, but this is common across
most industries," he said. "Hacking is so sophisticated
now that it may take months or perhaps years to find out someone
has intruded on your information. It's an area where technology
is trying to keep up ... but companies don't have it down to a
science where they can know immediately."
Eric pointed out that breach investigations can be time-consuming.
"First, you have to get your arms around where the information
went, to whom it went, and whether it is likely to be further
disseminated," he explained. "In some cases, upon
investigation, you can stop the information that was initially
considered a breach from getting further. Or, maybe there is no
indication that it did get disseminated in a way that is
potentially damaging."
"You have to very quickly be able to assess whether a breach
has occurred, get notification out, and plug the gaps," Jim
noted, adding that timely oversight and management position
organizations well for what may hit them from the outside. Also, he
pointed to the need for external expertise in pulling information
together in a "forensic" manner. "We've seen
situations where companies trying to plug the breach have destroyed
evidence. You want to make sure that in correcting the leakage
issue that you don't destroy evidence that might be crucial to
litigation later on," Jim cautioned.
Jim observed that according to industry data, business associates
of covered entities are involved in 30% of healthcare
breaches, and he underscored the importance of closely managing and
monitoring those relationships. He also pointed out that the
majority of breaches are related to malicious activity or employee
negligence, opening the door to external litigation.
Eric agreed, adding that a plaintiff will likely file a case first
and ask questions later. While there is no private right of action
under HIPAA, he explained that covered entities can be sued for
such common-law or state-recognized causes of action as negligence
or intentional infliction of emotional distress. "If you
don't get your act together quickly, there are going to be all
these other external pressures and people muddying the waters,
which can easily distract from your core tasks," Eric
said.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.