Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Download PDFDownload PDF
Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Abby Nieten
/
August 9, 2017
Blog

What Happens When a Health Facility Experiences a Data Security Breach?

MIN
/
August 9, 2017
About the Episode
Episode Highlights
Meet our Guest
Episode Transcript

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Get the Report

Not a valid e-mail address

Great, thank ya!

You can now access the content.
Oops! Something went wrong while submitting the form.
Blog

What Happens When a Health Facility Experiences a Data Security Breach?

Panelists
No items found.
Introduction
Introduction

Great, thank ya!

You can now access the content.
Download NowDownload Now
Oops! Something went wrong while submitting the form.

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Panelists
No items found.
Infographic

What Happens When a Health Facility Experiences a Data Security Breach?

When a health facility experiences a data security breach, it must take swift action to ensure an appropriate response to healthcare security breaches.
Download InfographicDownload Infographic

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Collecting payments with online forms is easy, but first, you have to choose the right payment gateway. Browse the providers in our gateway credit card processing comparison chart to find the best option for your business. Then sign up for Formstack Forms, customize your payment forms, and start collecting profits in minutes.

Online Payment Gateway Comparison Chart

NOTE: These amounts reflect the monthly subscription for the payment provider. Formstack does not charge a fee to integrate with any of our payment partners.

FEATURES
Authorize.Net
Bambora
Chargify
First Data
PayPal
PayPal Pro
PayPal Payflow
Stripe
WePay
ProPay
Monthly Fees
$25
$25
$149+
Contact First Data
$0
$25
$0-$25
$0
$0
$4
Transaction Fees
$2.9% + 30¢
$2.9% + 30¢
N/A
Contact First Data
$2.9% + 30¢
$2.9% + 30¢
10¢
$2.9% + 30¢
$2.9% + 30¢
$2.6% + 30¢
Countries
5
8
Based on payment gateway
50+
203
3
4
25
USA
USA
Currencies
11
2
23
140
25
23
25
135+
1
1
Card Types
6
13
Based on payment gateway
5
9
9
5
6
4
4
Limits
None
None
Based on payment gateway
None
$10,000
None
None
None
None
$500 per transaction
Form Payments
Recurring Billing
Mobile Payments
PSD2 Compliant

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Data security breaches can be costly—especially if they involve HIPAA violations. The largest HIPAA fine to date was collected in 2016, with Advocate Health System doling out $5.55 million. Coming in at a close second, Memorial Healthcare System was hit with a $5.5 million fine earlier this year. But HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are 5 steps your healthcare organization should take to ensure an appropriate and timely response in the event of a data security breach:

#1: Identify vulnerabilities.

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach as well as its origin. You’ll want to answer the following questions:

  • Who is responsible for the breach? External hackers? Internal personnel?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

#2: Seek professional legal and security counsel.

Next, you should seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft communications and documentation related to the breach. They can also help prepare you for the potential of liability lawsuits and provide advice on how to handle people affected by the data leak. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach. The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

#3: Notify appropriate parties.

Healthcare organizations that experience an ePHI security breach must adhere to a strict breach notification process, as laid out by the HIPAA Breach Notification Rule. In short, covered entities (and their business associates) must notify all affected individuals, the Secretary of HHS, and (possibly) the media. Facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach. Notifications must be provided in a timely manner—within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it is considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation. Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

#4: Address risks.

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks. Some remediation actions to consider include:

  • Reformatting hacked devices
  • Restoring data from clean backups
  • Updating all accounts with new, secure passwords

#5: Manage resulting consequences.

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation.

Dealing with a healthcare security breach can be an arduous process with a lot of complex details to consider. So it’s best to do what you can to avoid breaches all together. And that starts with a thorough HIPAA compliance plan. Click here to find out how Formstack’s HIPAA compliant online forms can be an integral part of your plan.

Abby Nieten
As Senior Manager, Content Strategy, Abby leads an amazing team of marketing content creators toward a shared content vision. She's been growing with Formstack since 2015 and spent several years as a professional editor before that.
More Articles
Meet The Host
Content Marketing Manager
Connect
Lindsay is a writer with a background in journalism and loves getting to flex her interview skills as host of Practically Genius. She manages Formstack's blog and long-form reports, like the 2022 State of Digital Maturity: Advancing Workflow Automation.