You choose your path: Be Prepared OR Be Scared.
How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.” The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur. If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.
Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur. Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated.
Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.
- Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
- Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
- New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
- Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
- University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
- HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
- Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted
One piece of advice to all healthcare organizations and business associates: Be Prepared. Don’t follow the path of so many and think that a data breach will never occur within your organization.
If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization. Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring.
If additional help is needed, reaching out to experts in the industry is always a great idea. Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.
Be prepared, plan accordingly, and assure your breach investigation process is ready. You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations.
“If you are failing to plan, you are planning to fail.” – Tariq Siddique