Breach Preparedness in the Healthcare Industry

Posted by John Dimaggio on Sep 21, 2016 1:48:32 PM

In HIPAA Security

Is your Healthcare organization equipped to respond to a suspected or confirmed data breach?  According to Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, data breaches in healthcare remain consistently high for the 6th consecutive year in terms of volume, frequency, impact, and cost. In fact, nearly 90 percent of healthcare organizations represented in this study had a data breach in the past two years, and nearly half, or 45 percent, had more than five data breaches in the same time period.

Breaches happen.  Don’t wait for a suspected or actual breach to occur before developing your breach preparedness plan.  Organizations that experience a data breach with no plan in place are at greater risk for delayed breach containment, more extensive business disruption and slower business recovery, missing federal/state regulatory patient notification deadlines, loss or destruction of forensic data, fines, prolonged media coverage and reputational damage.  A solid breach preparedness plan includes the below components:

  • Incident Response Plan. A security incident response plan should outline company-wide procedures for reporting a security incident, the names and contact information of the incident response team, incident assessment procedures, and the analytical and tactical steps that will be employed to determine if a breach has occurred. 
  • Breach Policies and Procedures. Policies and procedures should incorporate the HIPAA definition of a breach, detection, assessment, mitigation and legal breach notification requirements, the timeliness, content and method of notifications, breach response strategies, and identification of the individuals assigned to a breach response and post-breach forensic team. Also included should be a process to periodically review and update the policy to ensure it remains relevant and compliant with federal, state, and local laws.
  • Data and Systems Documentation. Identify and document the data location and movement of Personal Health Information (PHI), Personal Identifiable Information (PII) and financial information within your systems. Verify all methods in which this data is accessed.  Document system hardware and software inventory, data flow and network diagrams.
  • Data liability/cyber insurance coverage. When a data breach occurs, your organization’s business continuity and reputation are at risk.  Insurance coverage can help your organization minimize potential business interruption, legal, liability, credit monitoring and public relations costs.

Breaches are almost inevitable in today’s cyber-war arena.  Yet creating a response plan can be challenging to many healthcare organizations that have limited resources and a shortage of trained IT security personnel. Consider partnering with a security and privacy compliance company that can develop a customized plan for your organization as well as ensure proper security measures are implemented prior to a potential incident.

For information on breach recovery best practices, download our Cybersecurity eBook by clicking on the below link:

  Download Our Cyber Security eBook


BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH.  Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts.  Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, senior living organizations, homecare, hospice and business associates.  If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at