errors and omissions insurance Healthcare Cyber Liability: How to Effectively Respond to a Data Breach | Axis Error & Omission
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

Healthcare Cyber Liability: How to Effectively Respond to a Data Breach


Healthcare Cyber Liability How to Effectively Respond to a Data BreachThe Ponemon Institute estimates that the cost of a data breach grew 23% in the last year to $3.79 million. Moreover, although data breaches are not limited to any one industry, the healthcare sector is particularly hard hit, particularly from criminal attacks. Nearly half or 45% of data breaches experienced by healthcare organizations are a result of criminal activity. Mitigating these risks is critical but so is having an effective response in the event of a beach. Skill and careful planning is required to execute a response strategy, along with united efforts of an organization’s legal, PR, security, and privacy or compliance departments, along with any outside vendors, such as additional counsel, Cyber insurance, and a breach services vendor.

According to ID Experts, there are several best practices to follow to effectively respond to a data breach. These include:

    1. Assemble incident facts and produce digital data for analysis. This involves ensuring that you inventory the data and establish a chain of custody to track original media; creating a forensically sound image of the original media for analysis with a backup copy; and if possible, performing forensics and data analysis under attorney-client privilege.

 

    1. Examine the data to determine the facts of the potential breach. Determine if the breach is benign or malicious, the source of the breach, who was affected, the data stolen (name, Social Security number, credit card number, health insurance information), the scope and extent of exposure, any third-party involvement and whether the data was accessed or exfiltrated (data exifiltration is the unauthorized transfer of sensitive information from a target’s network to a location which a threat actor controls).

 

    1. Document all findings in a clear and defensible way that can be upheld in courts of law and enforcement agencies. Record every action taken during forensics and data analysis. Seek for “work product” status (ownership) of reports or findings.

 

    1. Perform an incident risk assessment to determine whether the privacy or security incident is a data breach that legally requires notification. Even if an incident is not a notifiable breach, consider risks to affected individuals and the reputation of your company if the breach is discovered and you choose to not notify.

 

    1. Keep abreast with the latest federal, state, and international laws. The findings of your data analysis must be assessed against the most current breach notification regulations to determine if you have a notifiable breach on your hands. Regulations such as the Gramm-Leach-Bliley Act (GLBA) and the HIPAA Final Rule have specific requirements and thresholds for when and how to notify affected individuals and the media. Moreover, 47 states and three territories have their own requirements for breach notification, which can often be more stringent than federal laws.

 

    1. Prepare to meet burden of proof with documentation of all your findings. Whether or not you choose to provide notification, regulators will want to know the reasons for your decision. You will have to demonstrate that you have a consistent, defensible method for incident risk assessment to show due diligence and regulatory compliance.

 

    1. Engage appropriate outside partners, including your legal counsel, insurance broker, and breach response services provider to minimize the cost and impact of breach response and help preserve your company’s reputation. Also, be sure your insurance carrier is notified of a breach to maximize applicable coverage. Some services may be included as part of your Cyber Liability insurance program.

 

    1. Tailor your notification and response to the specifics of the incident. Your breach response plan should be based on the demographics, customer relationships, and risk information of the affected population, to meet individual needs and best demonstrate compliance.

 

    1. Ensure completeness of response. These include: breach response project management; crisis PR, notification to the breached population, regulatory agencies, and the media; call-center services and website; appropriate identity protection and monitoring; and identity recovery services.

 

    1. Notify affected individuals, regulatory agencies, and the media in compliance with the latest regulations. All communications should be consistent and specific to the incident, and should include details of the breach, containment measures, ongoing investigation, services offered to affected individuals, and contact information. Have counsel review all notification communications to ensure compliance with regulations. Be sure to notify all relevant federal and state agencies. These may include the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and the Attorney(s) General of the state(s) where you do business and/or where the affected population resides.

 

    1. Provide the appropriate identity monitoring and protection. Victims of a healthcare data breach need protection for their medical records as well as any financial information. In these situations, credit monitoring is not enough. Match your identity monitoring and protection offer to the type of data breached: medical identity monitoring for healthcare, credit monitoring for financial breaches, etc.

 

    1. Provide identity recovery services for victims of identity theft. Helping the customers or patients whose identities have been stolen is a highest priority. Provide either in-house or outsourced identity recovery experts to assist victims. Also, plan to assist with every aspect of identity recovery, from resolving disputes, filing complaints, and providing limited power of attorney.

 

Carefully assess your Cyber Liability/Privacy & Network Security insurance program to understand what type of exposures are insured under the policy, how and when coverage is triggered and what coverage you have, including paying for the costs of notifications, forensics, crisis management, business interruption, regulatory penalties and fines, third-party liability and other critical protection. Axis Insurance Services specializes in securing Cyber Liability insurance for the healthcare/medical sector. We can help you put together a strong program to address the exposures you face and respond in the event of a cyber attack. Give us a call at (877) 787-5258.

Sources: Ponemon Institute, ID Experts

Comments

comments

Blogged on: September 23, 2015 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions