Improving Hospital Executives’ Early Awareness of Data Breaches

Hospital executives face a critical issue in mobilizing organizational focus on data breach defense.

Oct 24, 2024 | | Written by Celerium

This article is sponsored by Celerium.

Instead of focusing only on prevention before a breach and response after a data breach has occurred and is reportable to HHS OCR, hospitals should consider the time in between – to evolve an institutional focus on proactivity by understanding Early Awareness of possible data breach activity.

The Challenge of Early Detection

Understandably, most attention today is on prevention measures. However, when a data breach occurs, and IT or IR processes formally determine that more than 500 ePHI records have been stolen, the organization starts the 60-day clock to submit a Data Breach Disclosure document to HHS/OCR. The dilemma, per seven years of IBM research, is that the average data breach detection time can take months—possibly as long as 6.9 months (about 200 days).

Prevention to confirmed data breach of 500+ PHI records

Legal Basis for Proactivity

In regulatory filings and class action lawsuits, common high-level accusations include failure to protect patient data adequately and insufficient investment in cybersecurity infrastructure. There are two types of common accusations related to lack of proactivity:

Failure to Implement Proactive Prevention Measures: Failure to implement MFA, data encryption, patch management, and awareness training could be considered a failure to implement proactive prevention measures.
Failure to Implement Monitoring Systems: Monitoring systems before a breach is vital because threat actors can often breach systems despite prevention measures. Implementing detection mechanisms for possible data breach activity can provide a proactive awareness (also known as “left of boom” insights).

Executive Level Awareness via Executive Data Breach Dashboards

The IT organization needs to understand the technical dimensions of possible data breach activity. Many hospital CEOs and other executives also feel pressure to be more proactive regarding data breaches. A set of summary and high-level Executive Dashboards needs to be created so that executives can understand possible data breach activity.

Early awareness of possible data breach activity

Executive Data Breach Dashboards: Individual Benefits for a Hospital CEO

Personal Heads Up: A personal heads-up before a formal data breach is declared internally can enable a CEO to better understand the situation and associated risks.
Demonstrate Personal Responsibility: CEOs can demonstrate personal executive responsibility and proactivity to regulators, in class action lawsuits, and during congressional hearings.

Institutional Benefits of Organizational Early Awareness and Proactivity

Develop Organizational Responsibility: Implement a system that mobilizes and synchronizes hospital executives and IT staff around common data breach warnings.
Implement Early Tactical Response: Early visibility about potential breaches can enable early tactical response, potentially lowering the probability of a full-blown data breach.
Improve Organization Agility: Improve organizational maturity and competence when addressing ever-evolving threat actor attacks.
Involve Business Executives and Managers: Involve business executives and managers in proactive data breach defense.
Implement Effective Solutions: Utilize data breach defense programs that provide dashboards for executives and IT staff.

Essential Considerations

It is important to emphasize that early awareness reports of potential data breach activity do not replace thoughtful and measured analysis and confirmation by IT and/or by formal IR processes.

Conclusion

Hospital executives should consider the benefits of increasing early awareness of data breach activity in their organization to improve focus, synchronization, agility, and tactical response.

Additional Information

Celerium offers a data breach defense program for health care organizations, leveraging expertise from providing security solutions to the Department of Defense. The Compromise Defender solution includes data breach dashboards and notifications for hospital executives and IT staff, along with manual and automatic containment functions.