Tips for Developing an Incident Response Plan to Secure PHI

by Rick Kam, ID Experts

Does your healthcare organization have an incident response plan in place in the event of a data breach? We recently polled 200 healthcare privacy professionals and found that 22% responded affirmatively, that they do have a response plan. Thirty-three percent responded that they not only had a response plan, but had also tested the plan. Unfortunately, 44% responded saying they do not have a data breach incident response plan.

Although the response is positive compared to five years ago – it was rare to find an organization with a data breach IRP in place, much less one that was tested – but the overall adoption rate still remains low.

Here are 3 tips when considering your incident response plan:

1. Agree to goals as part of the plan: Get the executive team and incident response team aligned on the expected outcomes from the incident response. Is the highest priority meeting federal and state regulatory requirements? How important is it to avoid class action litigation? Where does protecting the brand fit into the priorities? What other factors does the board or executive team feel are key to a successful response? Once you set these goals, measure your success in achieving them and report that success to the executive team.
2. Calculate the financial value of the PHI your organization is protecting or just breached: Knowing the at risk value of the compromised data will help determine what is reasonable to invest in responding to a data breach and can facilitate management decision making when financial trade-offs are being considered. Refer to the ANSI white paper “The Financial Impact of Breached PHI” for a methodology and examples on how to do this.
3. Test your incident response plan: The poll showed 33% of the organizations polled tested their incident response plan. The best way to be assured the incident response team is prepared is to test the plan. There are a few ways to do this. Initiate a mock breach where you call IT and say your laptop was stolen and you think it had 500 patient records including SSNs and health insurance numbers on it – and see how your incident response team responds. Another option is to have an expert come in and help your organization through a practice breach response. The benefit of this approach is that the outside perspective and feedback may be more useful to help your organization refine your incident response plan and educate your executive team.

Go and check if an incident response plan exists for your organization and if it exists, ask these questions:

• When was it last updated?
• Has it been tested?
• What are the goals for a breach response?
• Does the plan have a methodology to calculate the “value at risk” of the compromised data?

Rick Kam, CIPP, is founder and president of ID Experts. He is an expert in privacy and information security. His experience includes leading organizations in policy and solutions to address protecting PHI/PII and resolving privacy incidents and identity theft. He is the chair of the ANSI PHI Project, Identity Management Standards Panel and the Santa Fe Group Vendor Council ID Management working group. He is also an active member of the International Association of Privacy Professionals and is a member of the Research Planning Committee for the Center Identity which is part of the University of Texas Austin.