How to Recover From The Hack Nightmare

What’s next when you discover a hack at your workplace? Healthcare organizations typically have detailed technical plans for closing access to networks, assessing damage and doing post mortems so it doesn’t happen again. But more than the technical repair that needs to go, organizations also need to have a plan for appropriately responding to the reputational hit that can occur from a hack.

It’s more than just a PR department’s “problem.” IT executives will need to be involved to manage the fallout and craft responses that limit the damage to the organization’s reputation.

When retailer Target suffered a large cyber attack, the company tried getting the word out quickly on the extent of the attack and what it was doing to mitigate the damage and protect customers. But it may have done too much too fast. Estimates of the number of affected customers later went up, and then went up again, contradicting initial statements, recalls Linn Freedman, a healthcare attorney and partner in the Robinson & Cole LLP law firm.

Organizations that suffer breaches face a dilemma of how to be transparent while needing to protect the organization and start restoring its reputation, says Robert Belfort, a partner at the Manatt, Phelps & Philips law firm. But if information is released too early, the organization may be perceived as having initially downplayed the significance of the attack, he warns. “Avoid the tendency to try to calm everyone’s nerves. It’s best to wait until you have more information to tell.”
 
“It’s clear that the best strategy is being upfront and honest, but waiting until you actually know what happened,” Freedman says.

When it comes to healthcare breaches, the stakes are higher for providers. Health records have more demographic information, including Social Security numbers, and often contain financial as well as extremely sensitive health information. That rich data set provides more opportunities for identity theft, the sale of health information and other fraudulent uses of personal data. Not only does it give hackers more data to use, it also makes it harder for investigators to determine how and when that information is used illegally.

The bar for protecting health data is, and also perceived to be by consumers, higher than retail or credit card information because of the stringent requirements of HIPAA, which are spelled out in the privacy notices patients are required to sign. When healthcare breaches do occur, providers and insurers often are found not to have followed those security measures, so brand reputations often suffer more than is the case with breaches in other industries.

In addition, consumers now expect that protective services such as credit monitoring and/or identity protection services will be offered when breaches occur. While two states—Connecticut and California—now mandate it, healthcare organisations have often been slow to offer those services, which can add to negative perceptions.

What follows is a blueprint for healthcare organizations that want a blueprint for restoring their reputation after a health data hack.

The increase in targeted healthcare cyber attacks should by now have convinced organizations they are likely to be breached, but many providers and payers are still unprepared. Assuming a breach will occur and being prepared in advance is the best way to not only better serve those affected, but also the organisation, says Daniel Gottlieb, a partner in the McDermott Will & Emery law firm. “Having an incident response policy in place and doing a tabletop exercise once a year would be ideal,” he advises. “If that’s not practical, less often is better than never.”

After a breach is discovered is not when an organisation should start deciding on protection services, looking for legal help and establishing relationships with enforcement agencies—those step should be taken now, Gottlieb says.

Offering protection services for two years is best but may not be financially feasible or necessary depending on the types of information compromised. But those services should be offered for at least a year, experts say. Attorney Belfort advises erring on the side of two years of protection if Social Security Numbers are involved.

An explanation of protective services being offered is commonly part of the notification letter sent out to affected patients. There is an art to writing the letter, Gottlieb says. It is important that the letter be written with an emphatic tone so it doesn’t sound like it was written by lawyers, and be authored by an executive who feels sincerely bad about what happened. It’s also a good idea with a large breach to put together a web video with the organization’s CEO apologizing and addressing how the organization is responding. This is not required, but shows that the top person is engaged. “It can be an effective way of communicating empathy and not being overly lawyer-driven,” Gottlieb adds.

It has become common for healthcare organisation to include a sentence in patient notification letters that to date, there has been no evidence that compromised data has been accessed or used.
Technically, that’s true, but the question is whether it is a wise statement to make, Belfort argues. The problem is that these statements sometimes are made before an organisation knows who hacked them, or why, and what the hackers plan to do with the information.

“Nobody really knows what’s happening with this information,” Belfort says. “The criminals often are very sophisticated. So don’t convey the impression that the risk is small. I understand the temptation to say that to protect the company and calm nerves, but you can lose trust later on.”

Another major way to bolster trust and credibility is to not make patients wait too long when trying to reach someone at the call center set up to answer patient questions and provide other information, according to Gottlieb.

Staff the center up from the beginning, when awareness and anxiety are at the highest points, and over a period of time staff down as call volumes drop. Experienced call center companies have data on the volume levels that can be expected and can assist in setting staffing levels, particularly in the first few days after a breach is made public. A hold time of 5 minutes or less, especially in the early days, is ideal.

Social media
When a breach occurs and an organisation’s patients or health plan members learn of it, so will the rest of the world thanks to the wonders of social media. Affected individuals will be posting their impressions--as well as information that may or may not be accurate.

Want to know how your affected patients or health plan members are digesting news of the breach? Hire a crisis management firm to monitor social media, dispel myths or untruths, and get your information out, Freedman counsels. Well-known healthcare organisations should have a crisis management firm on retainer before a breach happens.
Make sure patients commenting on social media can contact a real person to talk about the breach and related information, Freedman says. “These are patients; they want to talk to someone and make sure it doesn’t happen again.”

In a strange twist, a lax security provision in HIPAA often reduces the legal responsibility of healthcare organizations for data breaches.

The law originally had what providers and payers considered an unrealistic standard for overseeing how well their business associates secure protected health information. That standard later was modified so that covered entities were not responsible for a business associate’s breach unless they were aware of a pattern of questionable practices and subsequently did not compel the business associate to take mitigating actions.

But while not technically responsible for unknown acts of business associates, covered entities can still suffer a serious blow to their reputations. As a result, some organisations are increasingly more aggressive in their oversight of their business associates as part of more comprehensive security strategies.

Fix it
In the aftermath of a breach, Freedman says, the strongest step an organization can take to repair the damage is take a hard look at security practices, make improvements and publicise them to the extent they can.

And it isn’t just cyber attacks to worry about; consumers understand the new reality of data security and expect an organisation to take action across the board.

“A stolen unencrypted laptop is unacceptable today; you’re going to lose a lot of credibility,” she contends. “Patients will say, ‘How in the world can you be using unencrypted laptops?’” Consequently, encrypting laptops, flash drives and emails, and encrypting data at rest, is how an organisation can show its commitment to security, she adds.

Information-Management: http://bit.ly/1T2qfD9

« China’s Dangerous View of Cyber Deterrence
Self-Driving Car Poses High Hacking Risk »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

RioRey

RioRey

The DDoS mitigation specialist, from single server to Enterprise wide carrier level networks the RioRey Solution provides effective immediate and easy to manage protection.

TraceSecurity

TraceSecurity

TraceSecurity, a leading pioneer in cloud-based security solutions, provides IT governance, risk and compliance (GRC) management solutions.

MaskTech

MaskTech

MaskTech supplies highest security embedded chipsets, operating systems and related middleware for electronic identification cards, travel documents and authentication solutions.

Chronicle

Chronicle

Chronicle products combine intelligence about global threats in the wild, threats inside your network, and unique signals about both.

Buglab

Buglab

The Buglab contest and Vigilante Protocol help companies all over the world to discover and fix vulnerabilities on their digital solutions or assets.

Zeguro

Zeguro

Zeguro provides complete cybersecurity risk assessment, mitigation and insurance, allowing you to easily manage your cyber risk.

SMESEC

SMESEC

SMESEC is a lightweight Cybersecurity framework for protecting small and medium-sized enterprises (SME) against Cyber threats.

RHEA Group

RHEA Group

RHEA Group offers aerospace and security engineering services and solutions, system development, and technologies including cyber security.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

e360

e360

e360 (formerly Entisys360) is an award-winning IT consultancy specializing in advanced IT infrastructure, virtualization, security, automation and cloud first solutions.

Neovera

Neovera

Neovera is a trusted provider of managed services including cyber security and enterprise cloud solutions, committed to delivering results through the innovative use of scalable enterprise-grade tech.

Ministry of Information and Communications (MIC) - Vietnam

Ministry of Information and Communications (MIC) - Vietnam

The Ministry of Information & Communications of Vietnam is the policy making and regulatory body in the field of information technology and national information and and communication infrastructure.

AVANTEC

AVANTEC

AVANTEC is the leading Swiss provider of IT security solutions in the areas of cloud, content, network and endpoint security.

Axiata Digital Labs

Axiata Digital Labs

Axiata Digital Labs is the technology hub of Axiata Group Berhad Malaysia which is one of the leading groups in telecommunication in Asia.

Reality Defender

Reality Defender

Reality Defender stops deepfakes before they become a problem. Our proprietary deepfake and generative content fingerprinting technology detects video, audio, and image deepfakes.