Touchstone Medical Imaging (TMI) experienced a data breach affecting 307,000 patients. A misconfigured server exposed patient information, making it searchable through Google’s search engine. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) was notified via email of the incident.
The FBI contacted Touchstone to inform them of the incident. However, TMI waited four months before they investigated the incident. Additionally, TMI failed to notify affected individuals in a timely fashion, waiting 147 days before sending out breach notification letters. As a result, TMI was fined $3 million for delayed notification, as well as vendor mismanagement, and failure to conduct an accurate risk assessment.

What are the Requirements for Incident Response?

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to report security incidents to the Office for Civil Rights (OCR). HIPAA defines a security incident as,“the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Depending on the size of the incident, breach notification requirements differ slightly.

  • Meaningful Breach: affecting more than 500 individuals, a meaningful breach must be reported within 60 days of discovery. The incident must be reported to the OCR, affected individuals, and the media.
  • Minor Breach: affecting less than 500 individuals, a minor breach must be reported by the end of the calendar year. The incident must be reported to the OCR and affected individuals.

To prevent future incidents from occurring, organizations must develop corrective action plans. Corrective action plans must address the gaps in security measures that allowed the breach to occur. In addition to HIPAA breach notification requirements, it is important that healthcare organizations are aware of state reporting requirements, which are often more strict than the federal law.

Developing an Incident Response Plan

Having an incident response plan allows for the quick identification and reporting of security incidents. An incident response plan determines who is responsible for what in the event of a breach.
It also tells employees how to:

  • Detect an incident
  • Contain an incident
  • Correct the situation
  • Recover lost data

An incident response plan determines procedures to follow to mitigate the impact of the breach. The following should be included in an incident response plan:

  • What to do when an incident is suspected
  • Who is responsible for evaluating the situation to determine if the incident is actionable
  • How to quickly respond to limit damage
  • How to find the source of the incident and how to address the incident
  • How to recover from the incident
  • Who ensures that changes are made to prevent future incidents

To develop an effective incident response plan, organizations must account for different scenarios. Some of the most common breach incidents include:

  • Phishing attacks
  • Ransomware attacks
  • Theft or loss of equipment
  • Unauthorized system access
  • Insider issues
  • Security failures

Developing an incident response plan allows organizations to quickly identify and respond to security incidents. A security incident that is detected quickly, limits the impact of the breach, in turn affecting less patients and minimizing the costs associated with the breach.

This is Part IX of the XI-part blog series. You can also read Parts I to VIII below:

Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the ninth of which is incident response. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).