'VICTORY' key to robust health breach management


When talking about cybersecurity and breach management, Ty Faulkner, chief commercial officer at Rural Health Information Technology Corporation, focuses on one acronym: VICTORY.

It stands for vigilant, inspection, communicate, timeliness, ownership, rules and you.

“It goes from the business leader all the way to the [IT] gatekeeper that we really need to understand what it is we’re responsible for and what the rules are” when it comes to security, Faulkner said at the 25th National HIPAA Summit on Friday.

The Federal Trade Commission is continuing to release guidance and offering help to providers so they can follow through on that acronym.

“We’ve provided guidance on a range of issues, and we are updating our guidance on other things, including breach response, which will be coming in the weeks ahead,” said Laura VanDruff, assistant director for the Division of Privacy and Identity Protection at FTC.

To that end, the panelists also spoke on the best actions to take in the middle of a breach.

RELATED: Execs' HIPAA audit mantra: Prepare and communicate

Nick Heesters, a privacy and security specialist at the Health and Human Services Department’s Office for Civil Rights, said providers first must respond, report and mitigate the risk. He also noted the importance of having an incident handling guide easily accessible so everyone is aware of next steps.

For his part, Faulkner said organizations often have recovery processes and plans in place in the event of a power loss or natural disaster. That standard form of ammo should also be available in the case of a breach, he said.

In a brief preview of breach guidance from FTC, VanDruff said it’s important for entities to assemble a team of experts at the beginning of the breach response process.

“Who those people are will depend on exactly what happened, what your business looks like and what the [protected health information] looks like,” she said, “but it could include forensics people, legal experts, information security professionals, human recourses, etc.”

Other actions to take include moving systems offline, updating credentials and contacting criminal law enforcement to make them aware of the attack.

“The questions of breach response doesn’t end at the four corners of your enterprise,” she added. “The breach may have started and may continue with your service providers depending on how your network is organized.”

As for efforts after any kind of security breach occurs, Jeremy Maxwell, a senior technical advisor at the Office of the National Coordinator for Health IT, said providers must take a step back and review what controls worked and what didn’t, as well as if there was anything missing.

“What you don’t want is to be in a situation where something has occurred, and then it occurs again,” he said.

If you say “we lost laptop,” and then “we lost another laptop,” and then “oh, we lost a third laptop,” that looks bad, he added.

Faulkner said that is also the time to reconstruct and make things better.

You want to take that experience and that knowledge and build a stronger process, he said.