One of the fundamental beliefs within the American medical system is that patients have the right to privacy. This right is increasingly challenged by cyberattacks, and thus how the health system should respond to data breaches is a key area of work. According to the North American Association for Central Cancer Registries,
“Confidentiality is the cancer registry’s responsibility to the patients whose data are in the database and is of paramount concern to all cancer registries. There may be no greater threat to the operation and maintenance of a cancer registry than an actual or perceived breach of confidentiality. In fact, an actual or perceived breach of confidentiality in one registry may threaten all registries.”1
That is to say – to threaten this privacy is to threaten the practice of keeping patient records at all, which in turn threatens the practice of medicine as we know it.
Although there are many measures of security to protect both the healthcare workplace and its respective databases, data breaches are an unfortunate eventuality. A data breach can occur for any number of reasons: an accidental violation of HIPAA protocol, for example, or a pre-planned attack by a hacker hoping to negotiate ransom. No matter the type of breach, it is critical that healthcare providers have both protection against breaches as well as a response protocol.
According to the CDC, successful management of a data breach starts long before the incident even occurs. In other words, a pre-written detailed plan in the case of a data breach should be organized and shared amongst healthcare employees to ensure rapid response. Once such a plan has been drafted, agreed upon, and taught, “it is the program’s responsibility to execute its response plan.”2 Failure to do so increases the risk of violating legislative protocol,3 worsening the impact of the original breach, and enabling subsequent breaches. These in turn can cause the healthcare institution to lose credibility with patients and other healthcare providers, as well as cause harm to patients themselves
One key part of said plan is a breach response team (BRT), or a group of people with the designated responsibility of investigating suspected data breaches in a health system. It is advisable that the members of such team have a background in computer science or information technology, which will allow them to troubleshoot each incident.2 Familiarity with each facility’s technology and security measures is also a prerequisite for being a member of the BRT. Duties of the BRT can include (but is not limited to) developing detection programs and methods for reporting breaches, responding to and tracking suspected breaches, evaluating response tactics, and notifying individuals whose privacy may have been affected by the data breach. However, it is not the job of the BRT alone to manage data breaches. The workplace as a whole must be well-educated and ready to respond in the case of a breach. If proper education is giving and non-compliance leads to a data breach, then that individual employee is responsible and can face both legal and corporate charges. Even an accidental breach may culminate in loss of employment and the potential for legal repercussions.
Clearly, protection of private data is integral to the function and purpose of a healthcare facility. Therefore, responding to data breaches in a timely, effective, and appropriate manner is of utmost importance.
1 Standards for completeness, quality, analysis, and management of data, Volume III. NAACCR. (2019, September 12). Retrieved from https://www.naaccr.org/standards-for-completeness-quality-analysis-and-management-of-data/
2 Centers for Disease Control and Prevention. (2021, January 20). Data breach response. Centers for Disease Control and Prevention. Retrieved from https://www.cdc.gov/cancer/npcr/tools/security/breach.htm
3 (OCR), O. for C. R. (2021, June 28). Breach notification rule. HHS.gov. Retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html