A Healthcare System’s Guide to Handling Data Breaches

As the medical profession continues to move away from paper documents and upgrade to digital files, protection against data breaches and hackers is becoming ever more important. In 2019 alone, massive companies such as Canva, Capital One, and Epic Games (the developer of Fortnite) reported data breaches that, combined, jeopardized well over 250 million people.

In the healthcare industry, data breaches dont just mean emails and credit card information. Sensitive Personal Health Information is at risk of being stolen as well, making the stakes of cybersecurity even higher. When a hacker gets the best of your medical practice, how should you respond to make sure you stay compliant with HIPPA and cybersecurity laws? What sort of patient communications need to be distributed? How can you recover patient trust after a serious data breach?

Cybersecurity is complicated, but the clean-up after a data breach is even more complex. Some of the true costs associated with data breaches are:

  • Countless employee hours spent on the investigative process, cybersecurity upgrades, patient communications, and general stress.
  • Legal fees associated with high value yet incredibly expensive law firms that have experience with data breaches.
  • Potential fines, especially if the cause of your data breach was faulty or outdated security software.

After realizing your organization might be the victim of a data breach, here are three key steps to take.

Image for post

Determine the Cause

According to the HIPAA Journal, 40% of May 2020’s data breaches were caused by hackers. But a hacker is just one of the ways that sensitive health data can be stolen from your healthcare organization. An internal employee could accidentally or purposefully mismanage digital files, either through improper disposal or loss.

If your healthcare organization works with third-party vendors that handle PHI, there’s also the possibility that your vendor is the cause of your data breach. Not only does this make the solution and legal process more complicated, but it also means you should re-examine what cybersecurity features your vendors use and whether your organization’s security priorities align with theirs.

Work With a Legal Expert to Identify Options

Seeking legal counsel and potentially going to court over a class action lawsuit can be incredibly expensive for your organization. But similar to weighing the upfront cost of security software against the risk of a data breach, the cost of legal counsel will be worth it if it means staying compliant with federal cybersecurity regulations. There are many law firms that have experience in representing large, high-profile health networks when data breaches happen. Even if a lawsuit never occurs, lawyers can help you navigate the data breach — which is hopefully the first such incident for your medical practice.

As your lawyers will tell you, it’s vital to document each step you take throughout the breach process. Should a class action lawsuit occur, you’ll be thankful you recorded your handling of the incident. Seeking legal counsel early minimizes the chance of missing a step. And just like with cybersecurity software: better safe than sorry.

Communicate Early and Honestly

The HIPPA Breach Notification Rule requires all healthcare organizations to report a data breach within 60 days if over 500 individuals are affected. While silence might seem preferable in the short run, healthcare organizations can face serious fines (not to mention a PR disaster) if they fail to disclose their data breach.

In crisis communication, it’s important to release a statement that is not only truthful but also demonstrates a commitment to taking preventative action in the future. Facilitate collaboration between your legal team and your media relations team. Together, these people can craft a statement that satisfies HIPAA requirements and uses tactful and on-brand tone and verbiage. While communicating with your external vendors might not be explicitly required by the HIPPA Breach Notification Rule, sending a similar letter to these businesses could help them align their cybersecurity software and priorities with yours.

Trust Building and Damage Control

A data breach can cause a serious loss of confidence in your medical practice, which can damage the relationships you’ve built with your medical practice, your patients, and even your employees for years after the incident. In addition to sending the required communications to your patients to stay HIPPA compliant, here are a few strategies that can help your business recover customer trust:

  • Follow-up statement inserts — Your patients will want to know how your medical practice is responding to the current breach and what plan exists to prevent future breaches. Consider producing a quarterly statement insert that gives updates on your progress toward strengthening your practice’s cybersecurity measures.
  • IT and security upgrades — Make sure all the software that your practice uses is not only up-to-date but also protected by trusted security software. This includes your computers’ default web browser (old browsers, such as Microsoft Explorer, no longer receive updates and are therefore much easier to hack into). While the upfront cost might seem high, the cost of a data breach will undoubtedly be higher.
  • Vendor collaboration — Make sure your vendors are also prioritizing cybersecurity by taking similar actions. Specifically, be sure to work with third-party billing vendors that are committed to the responsible handling of patient PHI and financial information. Vendors should be HITRUST-certified, which demonstrates a professional and sustained approach to cybersecurity.

HITRUST Certification

A data breach could cost your medical practice millions of dollars. Even though taking preventative measures might seem premature or dramatic and not worth the money, the clean-up required after a serious data breach will cost you many multiples of what you’d spend on security software, as well as broken customer trust and countless working hours to sort out the damage.

Image for post

No matter the cause of your data breach, make sure you and your vendors are taking as many steps as possible to prevent data theft. HITRUST Certification maintains a common security framework by harmonizing all healthcare information security compliance standards. MailMyStatements was one of the first billing vendors to obtain HITRUST Certification. Because this certification must be renewed every two years after careful re-assessment and approval, HITRUST verifies that third-party vendors take a holistic, thorough approach to cybersecurity.

To avoid serious financial losses and damaged trust, be sure to work with a mailing and billing service that knows how to handle sensitive PHI.

Final Thoughts

Working with third-party service providers that perform a variety of functions, such as handling patient statements and patient payments, helps you navigate the increasing cost and complexity of running a healthcare practice, allowing you to improve cost-efficiency, augment the patient experience, and boost your bottom line.

To safeguard your patients’ interest while ensuring that your organization stays compliant to avoid hefty penalties and protect your reputation, you need to select vendors that are HITRUST-certified so you can rest assured that your patients’ sensitive information is in good hands.

Image for post

Derek Griffin is the VP of Sales and Business Development for MailMyStatements. He has over 13 years of experience as a healthcare sales executive, is experienced in multiple healthcare related fields from front office to billing and collections, and has worked in various roles within Optum, a UnitedHealth Group company and AdvanecedMD. He loves spending free time with his wife and kids, whether it is coaching the soccer team, attending dance recitals, or fixing bikes.

You can follow Derek on Twitter @Derek_Griffin1

Comments

Post a Comment

Popular posts from this blog

How to Improve Client Satisfaction With a Flawless Onboarding Experience

Image
  Your company has an awesome service. Your existing clients are, hopefully, “happy campers.” Why? Because your onboarding experience is unique, flawless, and responsive to each client’s needs. The transition from onboarding to “satisfied long-term client” is smooth, leaving the client with the sense that their business is better because of the successful and ongoing relationship you have facilitated. Getting a new client to say “YES” is just the beginning If the next steps in building the client r e lationship fail to create confidence and trust, buyer’s remorse may be knocking at your door. It’s easy to think that buyer’s remorse is about the purchase of a car, a house, or a designer purse or outfit on a now regrettable whim. But a new corporate client can experience the same type of regret or remorse. It’s important to remember that the person who agreed to this new arrangement put their assessment of the value of your services on the line with their higher-ups. If the onboarding ex
Read more

Medical Coding Changes to Know in 2021 [With Resources]

Image
  With the new year already upon us, many healthcare professionals are looking forward to a plethora of changes that 2021 is anticipated to bring. The mass vaccination of the global population against COVID-19; advancements in the field of remote patient monitoring; more funding for treatments such as immunotherapy and gene editing, and more are all undoubtedly on this year’s docket. The administrative side of healthcare is   not without its own New Year’s resolutions, though! The American Medical Association has published an update to the Current Procedural Terminology (CPT) code set, which includes various additions, edits, and deletions to outpatient Evaluation and Management (E/M) services codes. All of these medical coding changes are meant to smooth the administrative process and alleviate some of the box-checking burdens that clinicians face. These changes, which went into effect on January 1, will update the CPT code set to align with modern medical technology and procedures, m
Read more

6 Emerging Healthcare 3D Printing Applications

Image
  Over the past 30 years, 3D printing technology has continued to develop, improve, and become useful -even lifesaving – throughout various industries and applications. Did you know that many health systems are acquiring 3D printers to improve the quality, customization, and affordability of treatments and supplies? With the price of 3D printers becoming more affordable over the last ten years, the investment seems like a no-brainer to many healthcare systems. In fact, the global 3D printing healthcare  market size  was valued at $973 million in 2018, and is projected to reach $3,692 million by 2026, growing at a CAGR of 18.2% over the eight-year period. 3D printing is especially beneficial to the healthcare industry, as various medical practices are already relying on this technology to improve treatments. Let’s dive further into the specific 3D printing applications in healthcare and the future implications. Healthcare 3D Printing Customized Treatment Pharmacies and hospitals are tur
Read more