MAeHC CEO: In case of breach, 'don't panic'
BOSTON — When thieves broke into the car of a Massachusetts eHealth Collaborative employee in 2011, the company’s president and CEO, Micky Tripathi, experienced the natural stages of loss - from anger to ‘grudging’ acceptance.
“We were burdened with the stigma of losing the data,” Tripathi said.
But rather than hurriedly taking action, however, MAeHC constructed a well-laid plan with every aspect that needed to be handled to remain compliant and protect as much patient data as possible, Tripathi explained Wednesday during the HIMSS and Healthcare IT News Privacy & Security Forum here.
“Your lawyers aren’t going to be the only ones to take care of the breach,” Tripathi said. “By themselves they are ambiguous and offer different opinions on what to do.”
[Roundup: Everything that happened at the Privacy & Security Forum]
But Tripathi explained it’s also important to get the business department involved to ask the crucial questions: Was this a breach? Who needs to notified? How many records were really lost? Who is responsible?
“You’ve got to stop and find a seriously dedicated senior level person to take ahold of the problem,” Tripathi stressed. “Check your own pulse and don’t panic.”
That senior manager, in fact, will lead IT and make the breach its highest priority. Tripathi said it’s the most crucial part to surviving a breach with minimal damage.
Once established, Tripathi recommend that organizations keep a chronological account of daily activities to answer inquiries, create a crisis response team to focus primarily on the breach, then conduct a forensic analysis that includes de-duplicating the breached records to determine the number of patients affected.
And don’t provide too many details to external parties, as the ‘facts’ in the beginning are frequently wrong and you’ll almost certainly have to go back and correct what was said.
Providers also need to understand what contractors and vendors are doing with data, as the company is responsible, Tripathi explained, and that means reaching out to them regularly to determine what they’re doing and understand their challenges as well as any risks they present.
The Privacy & Security Forum took place in Boston, Dec. 5-7, 2016.
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet