Over the course of just a few months, Massachusetts-based Partners HealthCare experienced four separate breaches across its affiliate hospitals. That gave the health system some valuable real-world experience in breach response, said Chief Information Security Officer Jigar Kadakia.
One incident at Partners was a phishing scam that compromised the information of more than 3,000 patients. Another, at The McLean Hospital, occurred when four backup data tapes –containing information about more than 12,600 people who’d donated or agreed to donate their brains to research – went missing.
Two other email-related incidents of unauthorized access or disclosure, at Massachusetts General Hospital and Brigham and Women’s Hospital, added 1,600 more patients to the list of those whose PHI had been breached.
“Process is essential for incident management and breach response,” said Kadakia, speaking at the Healthcare IT News and HIMSS Privacy and Security Forum in Boston on Wednesday.
“As IT professionals, we alway think like, ‘We need to find out what happened. We need to do forensic activities. We need to figure out what’s going on. We need to stop it,'” he explained. “That’s all IT-centric.
“But when you think about the bigger picture of breach response, there’s a lot of other components that most folks in the IT world don’t think about,” said Kadakia. “What do you think are the five most important things that relate to breach response? I firmly believe they’re communication, communication, communication, communication and communication.”
He wasn’t just repeating the word for emphasis. There are five specific types of communication – with five very different groups of stakeholders – that providers should become skilled in if they hope to steer their way through the fallout of a data breach, said Kadakia.
Internal communication. “Once you detect a security incident that may become a security breach, how do you communicate internally within the information security team?” he asked. “Not everyone needs to know – not everyone should know. But there should be a process in place with communication. Because once there’s a hint of an incident, people often overreact. And they overreact the wrong way. Once they find a piece of the puzzle, they think they should publicize it internally: ‘Hey, I think we figured it out.’ Then another crumb comes along and they figure out: ‘Maybe that was a false positive and we need to do something else.’ And so as you go through that process, communication internally is highly critical.”
Once a breach is definitively identified, “that’s when you start the other communications,” said Kadakia.
Communication with leadership. “The next step is how do you communicate with executive leadership and the board,” he said. “Again, you have to have your facts set. And if you don’t have your facts set, and you go to your leadership without the proper facts, they may go public and say something. And if they don’t have the facts, it ends up biting you: You’ll publicly say something and then you’ll have to retract. That’s what happened to Target. They didn’t have the facts set, the CEO went public and the storm happened after that.”
External communication. “How do you communicate with the public, about your brand, your reputation, about what happened,” Kadakia asked. “That’s a challenge. How do you do it? Do you work with your PR team? With external PR firms? When I talk about testing the process, you have to test it all the way through.”
Communication with constituents. “Your customers, your patients – have you figured out how to communicate with them? How are you going to handle questions that are going to come about as you talk to them? They’re going to ask a question if it’s their information that’s compromised. If I get a letter in the mail, I call the help desk, I ask what’s going on, because as a CISO I know all the steps, so I’m going to ask how the information got compromised and why they didn’t have better controls in place. That’s the first thing I’m thinking of when I get a letter.”
Communication with regulators. “If you report a breach, there is a path to communicate with regulators, whether it’s OCR, HHS, the state regulators,” said Kadakia. “If you think of all the things you’ve ever tested, and the technical components of what you do, at the end of the day it’s communication. Because ultimately it it doesn’t matter how big the breach is: It’s how you communicate outward that helps get you get through the breach.”
Most security professionals folks focus in on the technical components of data protection, on red team vs. blue team simulations and tabletop exercises, he said. But once a breach occurs, those drills essentially become obsolete. That’s when communications strategy, all too often ignored, becomes essential.
“You’ve got to test it, because within a 60 day window you’ve got a lot you have to get done,” said Kadakia. “And if you haven’t tested that component, frankly that one is the most difficult. There are a lot of people who have opinions. Leadership, external PR professionals, etc. How you navigate through that process is really critical. If it’s never been tested or worked through or even thought about, you’ll just be reacting to everything someone says.”