Industry Insights with Aaron Kirkpatrick

3rd Party Risk Management , Governance & Risk Management

Third-Party Risk Management Strategies for Data Breaches

How to Defend Against Cyberattacks in Healthcare Organizations
Third-Party Risk Management Strategies for Data Breaches

The Blackbaud breach of 2020 was listed by HIPAA Journal as one of the largest healthcare data breaches of all time. Blackbaud, a large technology company, discovered a ransomware attack in May 2020. To make matters worse, the actual breach happened in February and wasn’t discovered by Blackbaud until months later. As of January 2021, more than six dozen healthcare organizations had shared that they’d been affected and over 8 million healthcare records had potentially been compromised.

See Also: 5 Requirements for Modern DLP

Hackers can strike any industry, but there has been an alarming increase in targeted and successful cyberattacks in healthcare. According to data from the Department of Health and Human Services, there has been an 84% increase in data breaches against healthcare organizations from 2018 to 2021. Now, more than ever, it's essential that your healthcare organization is prepared and has strategies in place for managing data breaches. Remember, it is not a matter of if your security will be breached. Unfortunately, it's a matter of when.

7 Strategies for Managing Data Breaches

It's happened. You've experienced a data breach, or maybe one of your third parties has been the victim of one. What should you do next?

You can reduce the impact on your organization and your patients by doing the following:

  1. Follow your remediation policy. An effective remediation policy addresses data breaches quickly as well as effectively communicates with patients. Be sure to follow your notification policy for patients as well.
  2. Be transparent. Even though admitting a breach is never enjoyable, putting off the inevitable will lead to more mistrust and damage to your reputation.
  3. To continue to keep patient trust, offer credit monitoring services. A data breach containing nonpublic personal information - NPPI - or protected health information - PHI - may ultimately increase individuals' risk of identity theft.
  4. Implement more vigorous user authentication procedures. This is especially important if patients have access to online tools.
  5. Perform a root cause analysis and enhance security controls. By studying this breach, you can create a stronger information security system and protocols going forward.
  6. Assess your overall information security processes. Document updates and provide employees with refresher training on topics such as how to spot a phishing email.
  7. If a third party caused the breach, make sure that they notified you on time. Make sure your contract language specifies the notification requirements for data breaches. Identify the consequence of a breach and outline what will happen afterward - for example, a more intensive audit, additional testing, etc.

Breaches can have costly consequences, including lower patient confidence, steep fines, and regulatory scrutiny. If there is a breach, don't let the damage escalate because you didn't follow up with the appropriate actions. Most importantly, take the initiative to learn from your mistakes. And make sure you have strategies in place to prevent the same events from occurring again. Keep documentation of how your organization handled a risk event to demonstrate proactive measures. Finally, make it a continuous practice to identify and assess new and emerging risks.

The truth is: No organization is immune from cyberattacks. But being proactive and having strategies in place to deal with the inevitable can lessen the potential occurrence, severity and impact of these events and protect your organization and its patients in the process.

About the Author

Aaron Kirkpatrick

Aaron Kirkpatrick

Chief Information Security Officer, Venminder

Kirkpatrick manages the information security team and information security initiatives within Venminder. He has been an integral part of developing many of the company's product offerings, which customers use to simplify their risk management efforts, and he continues to enhance Venminder's information security and product offerings as the risk environment evolves. Kirkpatrick has held both management and control-based roles and has created and successfully led security, risk and audit programs. He taught network security at a community college over three class years and remains active with the program.

Kirkpatrick has many related professional certifications including: Certified Information Systems Security Professional (CISSP), ISACA’s Certified in Risk and Information Systems Control (CRISC), Certified Information Privacy Manager (CIPM), GIAC Certified Incident Handler (GCIH), and GIAC Critical Controls Certification (GCCC).

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.