Incident Response Planning for Healthcare
- The complex, high-risk challenges that health insurers face
- The importance of consistency and documentation in risk mitigation
- The role automation plays in incident response planning
Read more below.
“You do not want to be building the plane in freefall. You’re gonna fail.”
Laura Rieben, Deputy Privacy Officer at Independence Blue Cross, joined The Privacy Collective on June 24, 2021, to discuss the unique challenges health insurers face while managing personal information, navigating complex data breach notification obligations, and wrangling third-party contractual obligations. Working in Healthcare is no accident for Rieben. The DPO sought out the industry specifically because of the unique challenges, so we’re extremely excited to share a dialogue with her in the latest session.
Organizations that manage health information are aware of how inherently high-risk their work is. In her position, Rieben oversees a core investigative team and incident response, develops and implements risk mitigation strategies based on internal and external trends, strategically develops controls, and ensures all data leaving the organization is legally permissible and compliant.
Amid a worldwide pandemic and customer demand for sharing data with emerging third-party mobile apps, incident response planning for healthcare involves unique challenges, all of which, Rieben believes, can be planned for.
Facing the Complexity
For Rieben, staying on top of new and emerging laws and jurisdictional changes is challenging and important work. Within healthcare, each law concerning sensitive personal information is heavily regulated. Many of these laws have their own notification deadlines. Staying on top of changing regulations is tricky, but cannot be overlooked. Per Rieben, “GDPR can still apply to you. A breach can come down to just two data elements that apply and you’ll still need to remain compliant with GDPR.”
Managing vendor relationships means a lot of oversight. Success with onboarding new clients includes pre-positioning incident response vendors. “If you’re negotiating these contracts while you have an incident or recently after you’ve had one, it’s an issue. If you don’t document incident response you will need to be able to go back and confirm data was deleted, destroyed. These are important in case you get audited or if someone alerts a regulator.”
Third-party contractual obligations, too, create urgency for Rieben and her team. Often with tighter timeframes than their regulatory counterparts, maintaining compliance with third-party contracts can mean the difference between keeping or losing clients for the organization. Getting contracts in place to protect the company and overseeing hundreds of vendors can be time-consuming but worth it.
“Third-parties are a really critical piece of our program because they stand in your shoes from a compliance perspective. It’s a joint compliance arrangement.”
As more health and wellness mobile apps emerge, healthcare insurers are presented with the challenge of interoperability with new vendors. When Medicare users consent to exchange personal information with new software systems, Rieben must ensure a safe transfer. Once data leaves their hands, it’s no longer PHI, rather, it’s in the Federal Trade Commission’s hands to manage safely.
Incident response teams are the first responders of risk mitigation. In the event of a data breach, it’s critical that privacy teams have documented processes in place to resolve the issue efficiently, including a functional bridge to other department decision-makers who must be involved in the investigation. Litigation counsel can be brought in to perform legal analysis to ensure all critical decisions – including the determination of notification obligations – is consistent with Privacy’s assessment. Legal counsel may also scrutinize contractual reporting to maintain accuracy.
“If you don’t know how to preserve privilege, set up time with someone in your legal department or with your general counsel to make sure you know what you’re doing ASAP.”
All of these tactics wrap into doing the right thing by the people whose data is impacted. This sort of incident response management is rarely linear, so it’s important to have documentation in place to make sure your team checks all the boxes of incident management to avoid litigation.
“Successful breach response thrives on collaboration,” says Rieben. There is no one person at an organization with enough expertise to do it all. To maintain compliance, everyone has to get along, speak the same language, and check their egos at the door. Success for privacy teams means seeking opportunities for cross-functional collaboration.
To connect incident response teams who have been separated due to the pandemic, Rieben suggests performing tabletop exercises to foster alignment. Such exercises help teams prepare for emergencies and insurers are glad to know privacy teams are ready for various scenarios.
The Role of Automation
For large organizations, data analytics is a crucial resource for managing vendor and client information. “It’s absolutely essential to us.”
With a multitude of vendors to balance, Rieben leverages automation to minimize workflows and prevent returning to every third-party contract to double-check notification requirements and exposing her organization to critical risks.
Most advantageously, automating privacy incident response affords Rieben the ability to monitor trends. Leveraging automation, Rieben looks for business areas that may have repeating incidents and repeating types of incidents to identify and resolve them at their origins. By updating processes that aren’t working within specific teams she is able to reduce risk for the organization at large.
Getting ahead of risk is of chief concern for Rieben. From analyzing incident trends to pre-positioning incident response vendors, the goal is to stay one step ahead of risk and ask permission, not forgiveness with insurance companies.
Compliance in Uncertain and Complex Times
While operating in the pandemic, organizations around the world have seen that legislatures aren’t slowing down when it comes to passing and modifying privacy laws. Having a tested and proven incident response process that consistently delivers defensible notification decisions doesn’t happen overnight. The more you can test, plan, and prepare, the better your team will fare in the event of an emergency. Privacy teams should test their own processes, as well as vendor relationships, and counsel interoperability.
For privacy teams, Rieben believes in finding opportunities.
“Never waste a crisis. Leverage potential and actual incidents to push for changes you want in your organization. Work to identify cheap wins at your company.”
You may also be interested in:
Topics: The Privacy Collective