5-Step Plan in the Face of an EHR-related Security Breach

If your practice is hit by an EHR-related security breach, review your incident response plan, says security consultant with Altius Information Technologies, Jim Kelton. He's joking just a little when he tells practices this, because most haven't taken the time to develop such a plan.

The incident response plan should include the processes and procedures the practice needs to undertake in the event of an EHR-related security breach. This is not the time to be scrambling and skipping over important steps, says Kelton. Having a plan to follow makes your practice's response in the face of a security breach much smoother.

Here's what Kelton recommends in response to a security breach:

Alert. This phase may be triggered by a call from a patient because something doesn't look right in her patient record or because your receptionist notices a new Microsoft patch hasn't been applied.

This is when you realize your practice's EHR has been hit by a security breach.

Triage. Identifying the severity of the security breach takes up the bulk of this phase, says Kelton. This is the time to determine whether the practice is going to pursue a suspect for hacking into the system - in which case, you need to protect evidence - or if the practice will notify patients about the breach.

If the practice decides to pursue a legal case, much of this phase is spent gathering evidence and sifting through log files and e-mails, he adds. It's important to engage with legal counsel to determine the appropriate way to build a case against a suspect; the practice's lawyer may recommend working with a forensic investigator at this time.

Notification. It's at this point that the practice needs to notify patients of the security breach, says Kelton. He advises clients to be proactive but notes that guidance will vary from state to state.

In general, breach notifications must notify patients about the dates of the breach, the type of information that has been compromised, and contact information for the credit reporting agencies. In addition, the practice needs to provide notice of the breach on its website.

Notification requirements vary from state to state. Massachusetts, notes Kelton, has some of the toughest data breach laws in the nation. In addition to notifying the resident, the physician practice must provide notice of the security breach to the state's attorney general and the director of consumer affairs and business regulation.

Recovery. Kelton says this is when the practice determines what's required to get the EHR back to a functioning status. The practice may need to reinstall the operating system at this stage to ensure it's not corrupted. That's when the EHR must be tested in production mode to ensure the system is functioning properly after the breach.

Maintenance. This is when the practice takes a hard look at the lessons it's learned as a result of the security breach, says Kelton. Whether it occurred because security patches hadn't been applied properly or due to security controls that weren't in place, the practice now knows what needs to be addressed to head off a future security breach.