How to Recover From The Hack Nightmare

Uploaded on 2016-02-10 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

What’s next when you discover a hack at your workplace? Healthcare organizations typically have detailed technical plans for closing access to networks, assessing damage and doing post mortems so it doesn’t happen again. But more than the technical repair that needs to go, organizations also need to have a plan for appropriately responding to the reputational hit that can occur from a hack.

It’s more than just a PR department’s “problem.” IT executives will need to be involved to manage the fallout and craft responses that limit the damage to the organization’s reputation.

When retailer Target suffered a large cyber attack, the company tried getting the word out quickly on the extent of the attack and what it was doing to mitigate the damage and protect customers. But it may have done too much too fast. Estimates of the number of affected customers later went up, and then went up again, contradicting initial statements, recalls Linn Freedman, a healthcare attorney and partner in the Robinson & Cole LLP law firm.

Organizations that suffer breaches face a dilemma of how to be transparent while needing to protect the organization and start restoring its reputation, says Robert Belfort, a partner at the Manatt, Phelps & Philips law firm. But if information is released too early, the organization may be perceived as having initially downplayed the significance of the attack, he warns. “Avoid the tendency to try to calm everyone’s nerves. It’s best to wait until you have more information to tell.”
 
“It’s clear that the best strategy is being upfront and honest, but waiting until you actually know what happened,” Freedman says.

When it comes to healthcare breaches, the stakes are higher for providers. Health records have more demographic information, including Social Security numbers, and often contain financial as well as extremely sensitive health information. That rich data set provides more opportunities for identity theft, the sale of health information and other fraudulent uses of personal data. Not only does it give hackers more data to use, it also makes it harder for investigators to determine how and when that information is used illegally.

The bar for protecting health data is, and also perceived to be by consumers, higher than retail or credit card information because of the stringent requirements of HIPAA, which are spelled out in the privacy notices patients are required to sign. When healthcare breaches do occur, providers and insurers often are found not to have followed those security measures, so brand reputations often suffer more than is the case with breaches in other industries.

In addition, consumers now expect that protective services such as credit monitoring and/or identity protection services will be offered when breaches occur. While two states—Connecticut and California—now mandate it, healthcare organisations have often been slow to offer those services, which can add to negative perceptions.

What follows is a blueprint for healthcare organizations that want a blueprint for restoring their reputation after a health data hack.

The increase in targeted healthcare cyber attacks should by now have convinced organizations they are likely to be breached, but many providers and payers are still unprepared. Assuming a breach will occur and being prepared in advance is the best way to not only better serve those affected, but also the organisation, says Daniel Gottlieb, a partner in the McDermott Will & Emery law firm. “Having an incident response policy in place and doing a tabletop exercise once a year would be ideal,” he advises. “If that’s not practical, less often is better than never.”

After a breach is discovered is not when an organisation should start deciding on protection services, looking for legal help and establishing relationships with enforcement agencies—those step should be taken now, Gottlieb says.

Offering protection services for two years is best but may not be financially feasible or necessary depending on the types of information compromised. But those services should be offered for at least a year, experts say. Attorney Belfort advises erring on the side of two years of protection if Social Security Numbers are involved.

An explanation of protective services being offered is commonly part of the notification letter sent out to affected patients. There is an art to writing the letter, Gottlieb says. It is important that the letter be written with an emphatic tone so it doesn’t sound like it was written by lawyers, and be authored by an executive who feels sincerely bad about what happened. It’s also a good idea with a large breach to put together a web video with the organization’s CEO apologizing and addressing how the organization is responding. This is not required, but shows that the top person is engaged. “It can be an effective way of communicating empathy and not being overly lawyer-driven,” Gottlieb adds.

It has become common for healthcare organisation to include a sentence in patient notification letters that to date, there has been no evidence that compromised data has been accessed or used.
Technically, that’s true, but the question is whether it is a wise statement to make, Belfort argues. The problem is that these statements sometimes are made before an organisation knows who hacked them, or why, and what the hackers plan to do with the information.

“Nobody really knows what’s happening with this information,” Belfort says. “The criminals often are very sophisticated. So don’t convey the impression that the risk is small. I understand the temptation to say that to protect the company and calm nerves, but you can lose trust later on.”

Another major way to bolster trust and credibility is to not make patients wait too long when trying to reach someone at the call center set up to answer patient questions and provide other information, according to Gottlieb.

Staff the center up from the beginning, when awareness and anxiety are at the highest points, and over a period of time staff down as call volumes drop. Experienced call center companies have data on the volume levels that can be expected and can assist in setting staffing levels, particularly in the first few days after a breach is made public. A hold time of 5 minutes or less, especially in the early days, is ideal.

Social media
When a breach occurs and an organisation’s patients or health plan members learn of it, so will the rest of the world thanks to the wonders of social media. Affected individuals will be posting their impressions--as well as information that may or may not be accurate.

Want to know how your affected patients or health plan members are digesting news of the breach? Hire a crisis management firm to monitor social media, dispel myths or untruths, and get your information out, Freedman counsels. Well-known healthcare organisations should have a crisis management firm on retainer before a breach happens.
Make sure patients commenting on social media can contact a real person to talk about the breach and related information, Freedman says. “These are patients; they want to talk to someone and make sure it doesn’t happen again.”

In a strange twist, a lax security provision in HIPAA often reduces the legal responsibility of healthcare organizations for data breaches.

The law originally had what providers and payers considered an unrealistic standard for overseeing how well their business associates secure protected health information. That standard later was modified so that covered entities were not responsible for a business associate’s breach unless they were aware of a pattern of questionable practices and subsequently did not compel the business associate to take mitigating actions.

But while not technically responsible for unknown acts of business associates, covered entities can still suffer a serious blow to their reputations. As a result, some organisations are increasingly more aggressive in their oversight of their business associates as part of more comprehensive security strategies.

Fix it
In the aftermath of a breach, Freedman says, the strongest step an organization can take to repair the damage is take a hard look at security practices, make improvements and publicise them to the extent they can.

And it isn’t just cyber attacks to worry about; consumers understand the new reality of data security and expect an organisation to take action across the board.

“A stolen unencrypted laptop is unacceptable today; you’re going to lose a lot of credibility,” she contends. “Patients will say, ‘How in the world can you be using unencrypted laptops?’” Consequently, encrypting laptops, flash drives and emails, and encrypting data at rest, is how an organisation can show its commitment to security, she adds.

Information-Management: http://bit.ly/1T2qfD9

« China’s Dangerous View of Cyber Deterrence
Self-Driving Car Poses High Hacking Risk »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyberis

Cyberis

Cyberis are pioneers in customer-focussed information security. Since 2011, we’ve been helping businesses protect their brands, customers and reputation.

British Assessment Bureau

British Assessment Bureau

The British Assessment Bureau is an ISO certification body. We check conformity and compliance of companies to recognised ISO standards including ISO 27001.

Agenci

Agenci

Agenci are specialists in cyber security and information security and deliver ISO 27001 Certification.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

Privitar

Privitar

Privitar is leading the development and adoption of privacy engineering technology enabling our customers to innovate and leverage data with an uncompromising approach to data privacy.

SafeBreach

SafeBreach

SafeBreach's platform simulates hacker breach methods across the entire kill chain to identify breach scenarios in your environment before an attacker does.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

Havelsan

Havelsan

HAVELSAN is a leading technology company in Turkey developing indigenous systems for domestic and foreign military, public and private sector clients.

Eskive

Eskive

Eskive is a Brazilian cyber security awareness and education platform that empowers users and strengthens their company in the face of cyber threats.

Amadeus Capital Partners

Amadeus Capital Partners

Amadeus Capital Partners offers over 20 years’ experience in technology investment. Our areas of focus include AI & machine learning and cyber security.

CISO Global

CISO Global

CISO Global (formerly Cerberus Sentinel) are on a mission to demystify and accelerate our clients’ journey to cyber resilience, empowering organizations to securely grow, operate, and innovate.

Cyvatar

Cyvatar

Cyvatar is a technology-enabled cyber security as a service (CSaaS) provider delivering smarter managed security to help you achieve compliance and security faster and more efficiently.

Aura

Aura

Aura is a mission driven technology company dedicated to creating a safer internet for everyone. We’re making comprehensive digital security that's simple to understand and easy to use.

TempoCap

TempoCap

TempoCap is a European growth-stage technology fund with offices in London and Berlin. We invest across a variety of high- growth sectors including cybersecurity.

VMware

VMware

VMware is a leading provider of multi-cloud services for all apps, enabling digital innovation with enterprise control.

A&O Shearman

A&O Shearman

A&O Shearman is a law firm at the forefront of the forces changing the current of global business: energy transition, life sciences, technology, private capital, finance and beyond.