How to Recover From The Hack Nightmare

Uploaded on 2016-02-10 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

What’s next when you discover a hack at your workplace? Healthcare organizations typically have detailed technical plans for closing access to networks, assessing damage and doing post mortems so it doesn’t happen again. But more than the technical repair that needs to go, organizations also need to have a plan for appropriately responding to the reputational hit that can occur from a hack.

It’s more than just a PR department’s “problem.” IT executives will need to be involved to manage the fallout and craft responses that limit the damage to the organization’s reputation.

When retailer Target suffered a large cyber attack, the company tried getting the word out quickly on the extent of the attack and what it was doing to mitigate the damage and protect customers. But it may have done too much too fast. Estimates of the number of affected customers later went up, and then went up again, contradicting initial statements, recalls Linn Freedman, a healthcare attorney and partner in the Robinson & Cole LLP law firm.

Organizations that suffer breaches face a dilemma of how to be transparent while needing to protect the organization and start restoring its reputation, says Robert Belfort, a partner at the Manatt, Phelps & Philips law firm. But if information is released too early, the organization may be perceived as having initially downplayed the significance of the attack, he warns. “Avoid the tendency to try to calm everyone’s nerves. It’s best to wait until you have more information to tell.”
 
“It’s clear that the best strategy is being upfront and honest, but waiting until you actually know what happened,” Freedman says.

When it comes to healthcare breaches, the stakes are higher for providers. Health records have more demographic information, including Social Security numbers, and often contain financial as well as extremely sensitive health information. That rich data set provides more opportunities for identity theft, the sale of health information and other fraudulent uses of personal data. Not only does it give hackers more data to use, it also makes it harder for investigators to determine how and when that information is used illegally.

The bar for protecting health data is, and also perceived to be by consumers, higher than retail or credit card information because of the stringent requirements of HIPAA, which are spelled out in the privacy notices patients are required to sign. When healthcare breaches do occur, providers and insurers often are found not to have followed those security measures, so brand reputations often suffer more than is the case with breaches in other industries.

In addition, consumers now expect that protective services such as credit monitoring and/or identity protection services will be offered when breaches occur. While two states—Connecticut and California—now mandate it, healthcare organisations have often been slow to offer those services, which can add to negative perceptions.

What follows is a blueprint for healthcare organizations that want a blueprint for restoring their reputation after a health data hack.

The increase in targeted healthcare cyber attacks should by now have convinced organizations they are likely to be breached, but many providers and payers are still unprepared. Assuming a breach will occur and being prepared in advance is the best way to not only better serve those affected, but also the organisation, says Daniel Gottlieb, a partner in the McDermott Will & Emery law firm. “Having an incident response policy in place and doing a tabletop exercise once a year would be ideal,” he advises. “If that’s not practical, less often is better than never.”

After a breach is discovered is not when an organisation should start deciding on protection services, looking for legal help and establishing relationships with enforcement agencies—those step should be taken now, Gottlieb says.

Offering protection services for two years is best but may not be financially feasible or necessary depending on the types of information compromised. But those services should be offered for at least a year, experts say. Attorney Belfort advises erring on the side of two years of protection if Social Security Numbers are involved.

An explanation of protective services being offered is commonly part of the notification letter sent out to affected patients. There is an art to writing the letter, Gottlieb says. It is important that the letter be written with an emphatic tone so it doesn’t sound like it was written by lawyers, and be authored by an executive who feels sincerely bad about what happened. It’s also a good idea with a large breach to put together a web video with the organization’s CEO apologizing and addressing how the organization is responding. This is not required, but shows that the top person is engaged. “It can be an effective way of communicating empathy and not being overly lawyer-driven,” Gottlieb adds.

It has become common for healthcare organisation to include a sentence in patient notification letters that to date, there has been no evidence that compromised data has been accessed or used.
Technically, that’s true, but the question is whether it is a wise statement to make, Belfort argues. The problem is that these statements sometimes are made before an organisation knows who hacked them, or why, and what the hackers plan to do with the information.

“Nobody really knows what’s happening with this information,” Belfort says. “The criminals often are very sophisticated. So don’t convey the impression that the risk is small. I understand the temptation to say that to protect the company and calm nerves, but you can lose trust later on.”

Another major way to bolster trust and credibility is to not make patients wait too long when trying to reach someone at the call center set up to answer patient questions and provide other information, according to Gottlieb.

Staff the center up from the beginning, when awareness and anxiety are at the highest points, and over a period of time staff down as call volumes drop. Experienced call center companies have data on the volume levels that can be expected and can assist in setting staffing levels, particularly in the first few days after a breach is made public. A hold time of 5 minutes or less, especially in the early days, is ideal.

Social media
When a breach occurs and an organisation’s patients or health plan members learn of it, so will the rest of the world thanks to the wonders of social media. Affected individuals will be posting their impressions--as well as information that may or may not be accurate.

Want to know how your affected patients or health plan members are digesting news of the breach? Hire a crisis management firm to monitor social media, dispel myths or untruths, and get your information out, Freedman counsels. Well-known healthcare organisations should have a crisis management firm on retainer before a breach happens.
Make sure patients commenting on social media can contact a real person to talk about the breach and related information, Freedman says. “These are patients; they want to talk to someone and make sure it doesn’t happen again.”

In a strange twist, a lax security provision in HIPAA often reduces the legal responsibility of healthcare organizations for data breaches.

The law originally had what providers and payers considered an unrealistic standard for overseeing how well their business associates secure protected health information. That standard later was modified so that covered entities were not responsible for a business associate’s breach unless they were aware of a pattern of questionable practices and subsequently did not compel the business associate to take mitigating actions.

But while not technically responsible for unknown acts of business associates, covered entities can still suffer a serious blow to their reputations. As a result, some organisations are increasingly more aggressive in their oversight of their business associates as part of more comprehensive security strategies.

Fix it
In the aftermath of a breach, Freedman says, the strongest step an organization can take to repair the damage is take a hard look at security practices, make improvements and publicise them to the extent they can.

And it isn’t just cyber attacks to worry about; consumers understand the new reality of data security and expect an organisation to take action across the board.

“A stolen unencrypted laptop is unacceptable today; you’re going to lose a lot of credibility,” she contends. “Patients will say, ‘How in the world can you be using unencrypted laptops?’” Consequently, encrypting laptops, flash drives and emails, and encrypting data at rest, is how an organisation can show its commitment to security, she adds.

Information-Management: http://bit.ly/1T2qfD9

« China’s Dangerous View of Cyber Deterrence
Self-Driving Car Poses High Hacking Risk »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Security Magazine

Security Magazine

Security, the business magazine for security executives, focuses on management issues facing top security professionals and effective solutions being employed, both physical and cyber.

Nexus Group

Nexus Group

Nexus Group develops identity solutions for physical and digital access.

Steganos

Steganos

Steganos offers highly secure and easy to use software tools that protect and secure on and offline data.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

ITonlinelearning

ITonlinelearning

ITonlinelearning specialises in providing professional certification courses to help aspiring and seasoned IT professionals develop their careers.

Red Snapper Recruitment

Red Snapper Recruitment

Red Snapper Recruitment is a market leading staffing services provider to the law enforcement, cyber security, offender supervision and regulatory services markets.

Gallarus Industry Solutions

Gallarus Industry Solutions

Gallarus leads innovation within industrial Manufacturing, Production and Management Systems, including Cyber Security solutions specifically developed to protect against the latest cyber criminality.

Talon Cyber Security

Talon Cyber Security

Talon delivers the leading enterprise browser designed to bring security to managed and unmanaged devices, regardless of location, device type or operating system.

Armexa

Armexa

Armexa is a leading provider of advanced industrial cybersecurity solutions that protect your critical OT and ICS infrastructure against ever-changing threats.

LogicBoost Labs

LogicBoost Labs

LogicBoost Labs has the expertise, experience, funding and connections to make your startup succeed. We are always interested in new ways to change the world for the better.

Intigriti

Intigriti

Intigriti is Europe's leading bug bounty and vulnerability disclosure platform, connecting organizations with a global community of ethical hackers to enhance cybersecurity through continuous testing.

Mailinblack

Mailinblack

Mailinblack protects your organisation against email threats with an innovative solution that meets your security requirements.

Exacom

Exacom

Exacom is a leading provider of multimedia logging/recording solutions across public safety, government, DoD, energy, utilities, transportation, and security applications.

Cyrex

Cyrex

Cyrex is a Web3 security and development company. Our mastery over decentralized applications, smart contracts and blockchain will keep you secure across Web3.

Network Coverage

Network Coverage

Network Coverage align, maintain, and integrate technology and cloud solutions with business operations to improve productivity and security with as few issues and disruptions as possible.

TerraZone

TerraZone

TerraZone is a global cyber security and privacy solutions provider to governments and enterprises.