5 ways to survive a hospital data breach

Karen Cheung

 Karen M. Cheung

A few months ago, a friend of mine was escorted home by a police officer. Why? She had to show the officer her birth certificate to prove that she was, in fact, who she said she was. My friend had discovered the hard way that her identity had been stolen.

She never found out how it happened, but she's convinced that the source was a Florida hospital she visited while on vacation and a data breach that she heard about on the news, although the hospital never notified her.

These days, many people aren't surprised to learn their data has been breached (it's that commonplace), but as consumers, we do expect that organizations will make up for it and do everything they can to protect our identity, privacy and money.

Things get particularly touchy when it involves our medical conditions and lists of our medications. And when that's the case "I'm sorry" doesn't cut it.

Even the biggest hospitals are the target of data breaches, as evidenced by Boston's Beth Israel Deaconess Medical Center's announcement last week that a stolen computer risked the information of nearly 4,000 people. The hospital is now doing some serious damage control to make sure it doesn't happen again.

Data breaches at big-name hospitals unfortunately aren't unheard of. In 2011, healthcare data breaches accounted for three of the top six data breaches.

Earlier this summer, a stolen laptop from Boston Children's Hospital risked 2,100 patients' info. And remember Sutter Health, in which a stolen computer risked the information of a whopping 4 million patients, leading to a class-action lawsuit?

In addition to possible damage to a hospital's reputation and patient security, data breaches can cost a healthcare organization $2.2 million and the U.S. $6.5 billion each year, according to the researcher Ponemon Institute.

And it's even worst for small healthcare organizations, in which stunning 91 percent of you reported a data breach in the past year, according to a separate Ponemon Institute report. But only 29 percent say protecting personal health information is a high priority at the hospital.

So what can you do to make your hospital safe and how can you recover when it does happen?

1. Make your privacy policy clear
Even before a data breach happens, make it clear to patients what their privacy rights are.

The Federal Trade Commission urges providers not to bury important information in their privacy policies, but instead to put it in separate, easy-to-understand forms for patients to sign, Maneesha Mithal, FTC associate director of the division of privacy and identity protection, said at the Second Annual International Summit on the Future of Health Privacy in Washington, D.C., in June, FierceHealthIT reported.

2. Fess up and own up
Obviously, hospitals should investigate to find out the source--or in some cases, sources--of the data breach. The cause of the data breach isn't just one bad apple who took advantage of the system; there likely are vulnerabilities in that system that left patient and employee information wide open.

Certainly consult with legal counsel, but most often, patients just want to know what happened and how it's being fixed. What patients don't want to hear?... that it's the IT vendor's brother's second cousin's dog's fault (or some other displaced blame).

"Everyone thinks everyone else is responsible," Pablo Molina, associate vice president of information technology and campus chief information officer at Georgetown University, said at the health privacy summit. "It's called 'the problem of many hands.' Accountability needs to run across the board to everyone involved."

3. Find another way to notify people besides a 'junk mail' letter

Should the unthinkable happen and your hospital does face a security breach, notify affected individuals in a timely fashion. As required by law, hospitals and other HIPAA-covered entities involved in data breaches of more than 500 individuals must report instances to the media. But consider providing other notification besides the media. For instance, one reader told FierceHealthcare that she found out her information may have been breached not from the hospital but by our news story.

Consider updating the hospital website, contacting affected patients by phone or any other means besides the usual letter notification that patients think is junk mail.

Providing the public quick information offers them the chance to take quick action to mitigate risk.

4. Support patients

Not surprisingly, 62 percent of healthcare consumers said their trust in their organization dropped because of a data breach, according to a Ponemon Institute survey last month. And 15 percent of them said they would end their relationship because of the breach.

Mitigate the damage by offering individuals credit watch support and implement a corrective action plan to prevent it from happening again.

5. Support staff
An action plan is only as good as the leadership's commitment to it.

Following its very embarrassing data breach, Beth Israel Deaconess Medical Center overhauled its bring-your-own-device action plan, in which the laptop encryption program went into effect Monday. Every--that's every--personal and company-issued, mobile device used for hospital-related business, including laptops, iPads and other tablet computers, will be encrypted for staff and students, Chief Information Officer John D. Halamka wrote in his blog, Life as a Healthcare CIO. In addition, Halamka explained that storing health or personal information on Internet cloud service providers like iCloud or DropBox is forbidden at the hospital.

The CIO suggested that organizations' culture also must change.

"[I]t is no longer sufficient to rely on policy alone to secure personal mobile devices.  Institutions must educate their staff, assist them with encryption, and in some cases purchase software/hardware for personal users to ensure compliance with federal and state regulations," Halamka said.

Don't wait until a data breach hits your hospital. Move data security up from the bottom of the to-do list to the top. How has your hospital coped and what strategies do you have in place to prevent such data breaches? - Karen (@FierceHealth)