Regulation of Medicine

Article

How to Respond to a Data Breach From a Third Party

By: Raj Shah, Esq., Baker Swain

July 26, 2021

Healthcare is one of the most vulnerable industries to cyberattacks. Although most cyber attacks happen because of human error within an organization, more healthcare organizations are experiencing data breaches from third-party vendors. A third-party vendor is an entity contracted with the healthcare organization to provide items or services, such as electronic health record (EHR) systems and IT security systems. Fifty-one percent of organizations across all industries have experienced a data breach caused by a third party.

According to the Ponemon Institute/IBM Security study, healthcare organizations take, on average, 96 days to discover a data breach and 236 days to recover from one. Data breaches in the healthcare industry spiked fifty-five percent in 2020.

With cyberattacks becoming more prevalent, it’s important to have a plan for when you receive notice from a third party of a data breach. This article describes how healthcare organizations should respond when they receive notice of a third-party breach and best practices for how to mitigate the extent of future breaches.

What Should Healthcare Organizations Immediately Do When They Receive Notice of a Third-Party Breach?

Healthcare organizations typically receive notice of a data breach days, or even months, after it actually occurred. The third-party vendor usually sends a letter or email notifying the organization of a data breach. If your organization receives a data breach notice, it should be considered as an important document and maintained in an administrative file after the following steps are taken.

Healthcare organizations should read the notice carefully and assess what information, and to what extent their information, was compromised. It is also important to reach out to the third party that sent the notice if more information about the breach is required, including whether the third party has remedied the breach on its end.

After reading the notice, if the breach is still ongoing, healthcare organizations should activate their incident response plan to mitigate the damage of the breach. If you have not created an incident response plan for a data breach, consider hiring outside counsel to guide the response efforts. PolicyOwners can also review sample incident breach responses on MagMutual’s Cyber Center located within the “My Account” section of your MagMutual online portal.

Steps for Effectively Responding to Third-Party Data Breaches

1.   Implement an Incident Response Plan

An incident response plan is crucial in responding to a data breach. Implementing an incident response plan effectively requires running routine practice drills of what to do when a data breach happens so that medical staff can act immediately upon notification of a data breach.

Activating the incident response plan requires good communication internally and externally. The healthcare organization’s incident response plan should already have a point of contact assigned for communication purposes. The point of contact can gather statements from the third party about the data breach, update internal staff on the breach, and handle pre-planned statements to update patients about whose information has potentially been compromised.

If the data breach affects the healthcare organization, implementing the incident response plan involves containing the data breach from your end as set out in the incident response plan. Once the third party or healthcare organization has contained the data breach, then follow the next steps in your incident response plan for what to do after the breach.  

2.   Preserve Evidence

Keep the notification of the breach and follow the procedures in your incident response plan for how to preserve and document evidence. Work with the affected third-party vendors on isolating the malware. Having evidence of the malware will facilitate reporting the breach to authorities. Forensic investigators can use this evidence to determine when and how the alleged breach took place and recommend steps for restoring the network or data. Documenting this evidence will help healthcare organizations cooperate with authorities and may help defend themselves in a potential lawsuit.

3.   Contact the Relevant Authorities and Let Them Know What Happened

Once a breach occurs, notify certain authorities of the breach. What authorities to notify and what healthcare organizations can disclose exactly depends on many factors.

a.   Federal Disclosure Requirements

The HIPAA Breach Notification Rule and the HIPAA Privacy Rule govern the federal disclosure requirements about an alleged breach for most healthcare organizations. MagMutual has created a HIPAA toolkit for its policyholders, including a breach notification analysis, which can be found here.

Even if third parties were the subject of a data breach, healthcare organizations and third parties still must demonstrate that the use or disclosure of protected health information (PHI) did not result in a “breach,” as defined in the HIPAA regulations. To determine whether a breach occurred, organizations must consider the following factors:

            1.   What was the nature and extent of PHI involved?

            2.   Who was the unauthorized person who used PHI?

            3.   To whom was the disclosure made?

            4.   Was PHI actually acquired or viewed?

            5.   What was the extent to which the risk to PHI has been mitigated?

Under HIPAA, business associates (third parties) must notify covered entities (healthcare organizations) of a breach within 60 days of discovering the breach. Organizations must notify individuals whose information was affected by the data breach. Disclosure requirements to the media and HHS also depend on the nature and extent of the breach.

 The HIPAA Security Rule requires healthcare organizations to conduct risk assessments to security systems and report their findings. The Security Rule also requires organizations to have a contingency plan in place for responding to disruptions to EHR.

If you are unsure about which disclosure requirements apply, consider reaching out to MagMutual or your internal HIPAA Compliance Officer, or engaging an outside attorney.

b.   State and Local Disclosure Requirements

Healthcare organizations may also have to consider state and local laws in the event of a data breach caused by a third party. State and local laws may have shorter reporting times than federal laws. These requirements may apply depending on what information the state law protects, what industries the state law applies to, and the size and extent of the data breach. A state-by-state chart of disclosure requirements can be found here.

4.   Obtain a Root-Cause Analysis of the Data Breach from the Third-Party Vendor

After the third-party vendor or IT system provider has contained the data breach, organizations should obtain a root-cause analysis of the data breach from the affected third party.

 

The next section of this article will address another important part of a root-cause analysis: assessing your relationships with your third parties.

What Policies and Procedures Should Healthcare Organizations and Third-Parties Have to Reduce the Likelihood of Future Breaches?

Healthcare organizations should treat third-party risk as their own risk. Therefore, organizations should require third parties to maintain compliance with security requirements under applicable privacy and security laws. Compliance with security requirements should include assurance from third parties that their security systems comply with applicable federal, state, and local privacy and security laws.

Healthcare organizations should also review their Business Associate Agreements (BAAs) with third parties. BAAs should include provisions about how third parties will identify and notify organizations of a data breach. BAAs should define what a “breach” is and include exact timeframes in hours or days on when third-party vendors must notify healthcare organizations of a data breach. BAAs should also include provisions about data storage and disposal, descriptions of vendor’s privacy and security programs, right-to-audit clauses, and protocols for disclosing when deficiencies in security systems have been identified.

1.   Healthcare Organizations Should Institute and Follow Policies and Procedures for How to Monitor and Screen Third Parties

First, healthcare organizations must identify their third parties. Many third parties also subcontract their services to other third parties. And smaller arrangements may hold higher risk than larger arrangements.

Once organizations have identified their third parties, they should develop a risk profile of their third parties that mainly focuses on a third party’s control and financial stability. Healthcare organizations can gather privacy and risk assessment by having their third parties complete questionnaires and surveys, as well as performing on-site visits.

a.   Monitoring Third Parties

Healthcare organizations should interview and audit their third parties. These interviews and audits will help assess third parties’ security standards and best practices to determine if they meet the organization’s standards. MagMutual has guidance for what questions organizations should ask their IT vendors about their cybersecurity.

Healthcare organizations should also monitor data entering and leaving the organization. They should ensure data, like PHI, is encrypted to and from third parties.

b.   Screening Third Parties

In assessing new third parties, healthcare organizations should develop processes for screening new third parties. Organizations should ask questions to prospective third-party vendors about their security, especially what vulnerabilities exist in their security and what protocols they have for when a cyberattack happens to their systems. Healthcare organizations should also consider implementing a “least privilege” policy covering who inside the organization can access what type of data and networks. This policy should also apply to third parties.

2.   Healthcare Organizations Should Ensure that All Third Parties Are Operating with Similar Security Controls

Personal devices can create problems for healthcare organizations because they may not be as secure as organization-approved devices. Similar security controls allow organizations to control security measures.

Healthcare organizations should categorize third parties in terms of risk. In doing so, they should determine the amount of risk that they are willing to accept from third parties, especially ones that may have a high impact on the organization.

Healthcare organizations should determine what services not only require third-party assessment but also insurance through the organization.

How Can Third Parties Make It Right with Healthcare Organizations?

After a third-party data breach, a healthcare organization and its third-party vendor may want to maintain their professional relationship. Organizations should reach out to the vendor’s sales representative to see what kind of items or services the vendor offers to other clients in the event of a data breach (e.g., discount in services, credit monitoring to patients, assurance, ability to modify the agreement, and reimbursement for expenses arising from the data breach).

If the agreement does not indicate how third parties will reimburse healthcare organizations for a data breach, they should negotiate with third parties on how third parties will reimburse them for expenses associated with the data breach, including notification expenses, liability expenses, and other expenses that helped mitigate the breach. If the third-party vendor is not willing to negotiate, consider engaging an outside attorney.

If healthcare organizations believe legal action is necessary because of the data breach, they should review their contract with that third-party vendor to see what legal recourse is available under the contract. Examples of legal recourse include arbitration and mediation. If the healthcare organization decides legal action is necessary, consider engaging an outside attorney.

 

Additional Resources

Grant Thornton LLP & Association of Healthcare Internal Auditors – Third-Party Relationships and Your Confidential Data

Manatt, Phelps & Phillips, LLP – Business Associate Compliance with HIPAA

Security Boulevard – Healthcare Providers Can Improve Third-Party Management

RSI Security – Basics of Third-Party Risk Management in Healthcare

MagMutual – Cyber Security Toolkit

Want to learn more?

Interested in how MagMutual can help?

View our products

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.