Hood: Data breaches are inevitable. Here's how to prepare

The Daily Briefing's Hanna Jaquith recently spoke with Ernie Hood, a senior research director for the Advisory Board's IT Suite and former chief information officer at Group Health Cooperative, about a potential data breach involving celebrity Kim Kardashian, and why a future breach—involving the Royal Baby, perhaps?—is bound to happen.

Q: Kim Kardashian is one in a long list of high-profile patients—Tom Hanks, Michael Jackson, and Maria Shriver, among others—who have had their data breached. Why are data breaches so common?

Hood: I think it's because our ability to protect information has been vastly exceeded by our ability to intrude. Honestly, even with perfect security, incidents like the Kardashian breach will happen: Someone who has legitimate [credentials] to view certain clinical data will access it inappropriately. It's human nature.

We know from a 2012 HIMSS survey that 22% of health care organizations have experienced a breach. Good grief, Google, Lockheed Martin, and RSA have all been breached—these are high-tech firms that you would never suspect this to happen to.

Data breaches are pretty much (or just about) inevitable; what hospitals are failing to do is prepare for them. We know from studies that the top indicator of how bad the consequences of a breach will be is how quickly and effectively an organization reacts to it. But hospitals are not spending the time needed to prepare for a breach in advance.

Q: But if these breaches are bound to happen, why spend so much time and resources on data privacy and security?

Hood: You want to minimize the odds. My point is not that money spent on prevention is wasted, it's that you should also devote resources to preparation. If you spend everything on prevention, then the likelihood is there will be a breach down the road and you'll wish you would have been prepared.

The big issue here in IT is that traditionally, the strategic approach to data privacy and security has been to build a firewall to "keep the bad guys out." With the growing availability of electronically available patient data—cell phones and tablets and what not—this is no longer possible.

Instead, industries are seeing a strategic shift from the "keep the bad guys out" posture to what is called Defense-in-Depth or continuous monitoring. The idea is that instead of solely investing in firewalls, I'm going to also invest in tracking how people access information and use data inside the system. Realistically, that's the only way you're going to catch employees who abuse their access.

Q: In that case, how can hospitals best mitigate the impact of a breach, should one occur?

Hood: In terms of breach preparations, it's important to establish a monitoring process, such as identifying certain people as high-profile patients and applying an additional level of monitoring to anybody who views restricted records. That way, you're more likely to catch a breach early.

  • Build a better breach plan: This webconference from the IT Strategy Council outlines the most important policies to have in place before a breach occurs.

However, the problem is that it is not always accurate to predict which providers will need access to what information, and thereby what data should be off limits. On this end, hospitals have been installing "break the glass" capabilities so that authorized users can override access restrictions in emergency situations while still providing for appropriate audit trail and disclosure log requirements.

Q. What about after the breach happens. What's the correct way to respond?

Hood: If there's a situation where a breach occurs, you must be in a position to act quickly. If the board of directors is required to sign off on sending out a press release, that's precious time—and potentially the hospital's reputation—that's lost. It is imperative to have a crisis team in power to declare a breach without going to the board to speed up the process.

When communicating to the public, it's important to state what has occurred and that the investigation is ongoing. If there are things that can be done to make up the situation to patients involved—like credit monitoring services or compensation for identity theft, which usually isn't the issue in celebrity breaches— that should also be communicated.

It's also important to accept responsibility. It is clearly a mistake for a hospital to say, "Mary Jane is at fault. It's not our problem." Instead, it should be: "We made a mistake. We apologize. Here's what's going to happen next."


Next in the Daily Briefing

Colorado hospital could cost $5M per bed

Read now

You May Also Like

Webconference Recording

How to Build a Breach Plan