This article is sponsored by Celerium.
Instead of focusing only on prevention before a breach and response after a data breach has occurred and is reportable to HHS OCR, hospitals should consider the time in between – to evolve an institutional focus on proactivity by understanding Early Awareness of possible data breach activity.
The Challenge of Early Detection
Understandably, most attention today is on prevention measures. However, when a data breach occurs, and IT or IR processes formally determine that more than 500 ePHI records have been stolen, the organization starts the 60-day clock to submit a Data Breach Disclosure document to HHS/OCR. The dilemma, per seven years of IBM research, is that the average data breach detection time can take months—possibly as long as 6.9 months (about 200 days).
Legal Basis for Proactivity
In regulatory filings and class action lawsuits, common high-level accusations include failure to protect patient data adequately and insufficient investment in cybersecurity infrastructure. There are two types of common accusations related to lack of proactivity:
- Failure to Implement Proactive Prevention Measures: Failure to implement MFA, data encryption, patch management, and awareness training could be considered a failure to implement proactive prevention measures.
- Failure to Implement Monitoring Systems: Monitoring systems before a breach is vital because threat actors can often breach systems despite prevention measures. Implementing detection mechanisms for possible data breach activity can provide a proactive awareness (also known as “left of boom” insights).
Executive Level Awareness via Executive Data Breach Dashboards
The IT organization needs to understand the technical dimensions of possible data breach activity. Many hospital CEOs and other executives also feel pressure to be more proactive regarding data breaches. A set of summary and high-level Executive Dashboards needs to be created so that executives can understand possible data breach activity.
Executive Data Breach Dashboards: Individual Benefits for a Hospital CEO
- Personal Heads Up: A personal heads-up before a formal data breach is declared internally can enable a CEO to better understand the situation and associated risks.
- Demonstrate Personal Responsibility: CEOs can demonstrate personal executive responsibility and proactivity to regulators, in class action lawsuits, and during congressional hearings.
Institutional Benefits of Organizational Early Awareness and Proactivity
- Develop Organizational Responsibility: Implement a system that mobilizes and synchronizes hospital executives and IT staff around common data breach warnings.
- Implement Early Tactical Response: Early visibility about potential breaches can enable early tactical response, potentially lowering the probability of a full-blown data breach.
- Improve Organization Agility: Improve organizational maturity and competence when addressing ever-evolving threat actor attacks.
- Involve Business Executives and Managers: Involve business executives and managers in proactive data breach defense.
- Implement Effective Solutions: Utilize data breach defense programs that provide dashboards for executives and IT staff.
Essential Considerations
It is important to emphasize that early awareness reports of potential data breach activity do not replace thoughtful and measured analysis and confirmation by IT and/or by formal IR processes.
Conclusion
Hospital executives should consider the benefits of increasing early awareness of data breach activity in their organization to improve focus, synchronization, agility, and tactical response.
Additional Information
Celerium offers a data breach defense program for health care organizations, leveraging expertise from providing security solutions to the Department of Defense. The Compromise Defender solution includes data breach dashboards and notifications for hospital executives and IT staff, along with manual and automatic containment functions.
Related articles from The Scope
The Role of Leadership in Data Breach Defense
Hospital executives need to be involved in data breach defense.…
Overcoming Texas’ Post-Acute Care Challenges with Data
This article is sponsored by THA Partner PointClickCare. Learn more…
Do Hospitals Have Time for Data Breach Defense?
Hospitals face significant risks from data breaches that are exacerbated…
Making Dollars & Sense from Transparency in Coverage MRFs
This content is sponsored by Denniston Data. In effort to…
Change Healthcare Breach is a Sobering Wakeup Call on Cybersecurity
It seems that every month, the threat becomes greater and…
Protecting Patient Data by Preventing Cyber Attacks
The threat of a data breach in a health care…