woman holding board reading "don't panic"

Responding to a Cyberattack

Hardly a day passes without a data breach revelation in the news, and perhaps no industry is more vulnerable for future attacks than health care. In 2015, the health care industry experienced more breaches stemming from cyberattacks than any other industry, a recent report by the U.S. Department of Health and Human Services found.

with co-author Bob Morgan

Cyber events can be detrimental to health care organizations, including payers and providers and, most importantly, patients. While prevention needs to be taken seriously, it’s extremely important to also make sure you know what to do in the event a cyber event does occur.

Stop and Call Your Lawyer

Once you are notified of a cyber event or breach occurrence, the first thing you should do is call the lawyer on your legal team designated to take the lead on these matters. It’s important for your team to have one central voice, and your lawyer should be it. This person is someone who knows your business, knows your team, has helped prepare your incident response plan and has been looped into discussions about what to do when there’s a data breach.

This designated lawyer should also be very familiar with your HIPAA risk management plan. The plan should be updated annually and assign scores to your risk so you can put tools in place to mitigate the risk of a breach in the first place. The goal of the plan is to formulate a quantitative or qualitative value for each risk (or set of risks) and therefore determine what course of action the company will take. Though we are discussing a breach in the context of its occurrence, risk management plans enable hospitals to know their vulnerabilities and become more familiar with their cyber operations if something does occur.

When developing the plan, consider using red, yellow and green lights or a 1-10 scale to understand the severity of risk (in terms of probability multiplied by impact) and use that severity to determine whether you will (1) mitigate, (2) eliminate (i.e., remove the program from operations), (3) avoid (i.e., ensure against the risk) or (4) accept (i.e., do nothing). This could evaluate spear-phishing, the fraudulent practice of sending emails from a trusted sender to induce targeted individuals to reveal confidential information, for example. This risk has a medium probability and a high impact in an email-intensive environment, so, you could give it a red light, or an 8 out of 10.  This indicates that you need to eliminate, mitigate or avoid (you cannot accept). You can’t eliminate the risk because hospitals need email. Now you must mitigate, avoid or both. In this case, you would probably employ a strategy of purchasing insurance and mitigating by utilizing a spam filter, scanning attachments and training employees not to click on unusual links.

As much as you can safeguard and adhere to plans like the above, breaches do happen, so, it is important to have an incident response plan in place. A strong response plan includes:

  • The list of individuals to call and engage with immediately, which we recommend does not exceed seven individuals. This will likely include a member of:
    • The IT team (they should be called in the first five minutes of a breach),
    • The board of directors,
    • The employee communications director,
    • Your media relations team and
    • A clinical representative (Head of Clinicians, Nursing, etc.).
  • A method of reaching each of these individuals that does not include company email (home phone numbers, cell phone numbers and personal emails). Keep in mind, however, that any email transmitted to a personal account should be brief and geared toward initiating a phone call. Personal email could be unsecure and may not be privileged.
  • A repository of key documents including insurance obligations.

If you have a team of six to assist, why call your lawyer first? You need someone that knows your business, is familiar speaking to a variety of audiences – including regulators and media – and can help translate and build messaging. IT does not speak the same language as the board; clinicians are not trained to interact with journalists as compared to a media director.

Second, and most importantly, it is critical to communicate within attorney-client privilege to the maximum extent possible. Once legal is engaged, make sure they are included and engaged on emails; merely copying counsel is not enough to privilege an email. It will give your team options for when formal proceedings happen.

Assess and Activate

The first goal in any breach response is to stop the bleeding.  This means segregation of the affected servers or endpoint (i.e., computers, laptops, etc.) and removal from the network. As in medicine, the first rule is “do no harm” (or no further harm). Taking servers offline while not deleting or unplugging them is generally a prudent step, especially when you are confident that data is being actively exfiltrated to unknown networks. This analysis should be among the first performed by IT in an incident response plan. Once you can halt the breach in its tracks or prevent things from getting worse, you can begin to execute your response plan. Here’s what to do:

  • Ask IT for an assessment of the extent of the breach, and then call your external forensics team, who should be pre-authorized. Forensics should not be called in too late. Waiting too long can mean the inadvertent loss of data or the failure to capitalize on information that could assist a law enforcement investigation.
  • Begin to script the necessary documentation and communications according to the following guidelines:
    • It’s important to be forthright if you know how the breach has occurred.
    • Develop an honest and non-leading public relations statement.
    • Ensure your call center is prepared to answer questions before and after a public notification or media story publishes.
  • Talk to key stakeholders, keeping these considerations in mind:
    • Once your response team is notified, begin to speak with clinicians and administrators. In your response plan, you should have pre-listed the groups of individuals who hold different types of data or private information. Information should be given on need-to-know basis. In some cases, all employees and the public will need to know (for example, operational interruptions). In other cases, only certain employees should be advised until the company is prepared to go public with the information.
    • In the case of a health care system or health care organization, remember that patients come first. For example, while it may be difficult for clinicians, you may be required to temporarily revert to paper charting to ensure your patients’ data is protected while an investigation is underway or until a server is reactivated.

Inform Law Enforcement and the Public 

Depending on the type of breach and its size, there are a variety of organizations that will need to be called. While it’s not necessary to call enforcement within minutes of a breach, it’s important to know who you should call. For a HIPAA breach involving 500 patients or more, you will be required to notify the Secretary of HHS within 60 days of the date of discovery of the breach, for example.

If you call the FBI, don’t be alarmed if they don’t call you back right away. They often want you to run your own investigation. In some cases, the FBI or other law enforcement may ask you to withhold notice of the breach while the investigation is pending. This pauses the notification clock under HIPAA and, generally, under state law as well. Keep in mind: the legal requirements can be contradictory — for example, a regulator (or the FBI) may ask that you notify no one, but your insurer may require notice within 10 days to trigger coverage. In this instance, work with the FBI to first gain their approval to provide appropriate notice to the insurer, and document the request.

Review Obligations

The most important part of any response plan or compliant reaction is notification. Verifying and staying current with breach notification requirements is a good example of valuable pre-breach planning.  Spending a few hours every six months reviewing insurance and regulatory notification requirements will help significantly when a crisis hits and there is no time to waste.

Post-breach, there is usually a requirement to notify an insurer of a covered incident within a specified timeframe or else waive coverage. Your legal team needs to verify all insurance notification requirements on day two at the latest. While the breach response team will be inundated with communication and IT needs, it is important not to lose sight of mandatory notification obligations that could pose significant financial or regulatory penalties.

Execute the Remainder of the Response Plan

While you may have notified all the necessary parties and even determined the source of the breach, your job is not done. Proper documentation and communication is crucial and must be maintained. Convene a meeting at the end of an incident response to discuss what happened, determine what could have been done better and document and share opportunities for improvement with the response team. Remember: this sort of communication should only occur with a non-privileged group after regulatory proceedings/lawsuits have concluded. You do not want email or other communications suggesting there were deficiencies in the response when matters are pending.

Christian Auty

Christian Auty is a Principal at law firm Much Shelist. An experienced litigator, Christian has an established reputation as a strong client advocate and is well-versed in issues on the intersection of law and technology, including data privacy and data breach response, electronic discovery, data storage and retention practices and information governance.


Related Post