Fortune 200 Healthcare Company Cuts Incident Risk Assessment Time by 50% with Radar

Automated privacy incident response reduces breach risk and improves efficiency

Download as a PDF

< Return to Case Studies

We did not have the resources for someone to monitor rule changes and updates full-time. This lack of dedicated attention increased the risk that a change to legislation or regulations could be missed.

– Privacy Team Lead at National Health Plan

A Fortune 200 company that provides healthcare solutions to more than 5.5 million members in the U.S. faces a bewildering array of breach notification regulations, from HIPAA to 50 individual state laws. The company’s privacy team relied heavily on spreadsheets and an internal legal group to manage its privacy and security incidents.

With an average of 50 incidents per month, the privacy team knew it had to replace this manual process with a streamlined solution. They tried an incident response workflow platform, but it lacked critical features, such as automated multi-factor, multi-jurisdictional incident risk assessment, and breach notification recommendations. They dropped this platform in favor of Radar.

Radar Boosts Efficiency, Reduces Breach Risk

Every incident requires detailed documentation and a consistent incident risk assessment in accordance with all federal, state, and international laws where an organization conducts business or the affected individuals reside. Radar is up-to-date with all breach notification regulations, saving the healthcare company’s legal team the hassle of monitoring them.

“With Radar, we’re 90 to 95 percent more efficient in this respect,” the privacy team lead says. “Radar also helps mitigate risk. We did not have the resources for someone to monitor rule changes and updates full-time. This lack of dedicated attention increased the risk that a change to legislation or regulations could be missed.”

Risk Assessments Completed in Half the Time

Prior to Radar, the healthcare company struggled with a cumbersome manual process for reviewing the regulatory requirements for each new incident. “All of the legal and regulatory requirements around breaches, notifications, and deadlines are built right into Radar,” says the privacy team lead. “This has created an easy workflow that’s saved at least 50 percent of the time it used to take to complete assessments.”

The privacy team lead also relies on the heat map Radar generates for each incident, which reveals the risk of harm to impacted individuals. Another efficiency is the ability to get an assessment summary if the HHS Office for Civil Rights, a state attorney general, or another regulator requests documentation on a specific case.

All of the legal and regulatory requirements around breaches, notifications, and deadlines are built right into Radar. This has created an easy workflow that’s saved at least 50% of the time it used to take to complete assessments.

– Privacy Team Lead at National Health Plan

Avoiding Costly Fines and Missed Deadlines

Contractual notification obligations are often measured in hours or days rather than weeks or months, and failure to meet the timelines can result in significant fines and penalties, including the possibility of a lost client. Radar helps the healthcare company capture important contractual notification details for each external entity, including multiple notification timelines and contacts.

“Having Radar populate the notification timelines for each contractual obligation has been a big help,” the privacy team lead says. “Before, we had to remember to look up the deadlines on our spreadsheet. If we missed a deadline, we could be fined $500 to $2,000 per contract.”

Radar Slashes Follow-up on Incident Intake by 90%

Previously, the company only had a general mailbox for reporting incidents, which almost always required follow-up to get all the needed information. Now, the privacy team only has to follow up on about 10% of the incidents that are reported via Radar’s incident intake forms. “The web forms really help guide the person reporting the incident in terms of the kind of information required,” the privacy team lead says.

One Assessment for Multiple Data Sets

Incidents don’t always involve a single data set; for example, a stolen briefcase may have a tablet, paper files, and a thumb drive, each with a distinct set of data impacted by different risk factors or regulatory requirements. Before Radar, the healthcare company had to split such incidents into separate events—one for each data set.

Now the privacy team can better manage multiple data sets and the associated risk factors related to a single incident. These data sets are easily documented and assessed as distinct subsets of a single incident to maintain an accurate account of privacy data occurrences and to avoid over-counting incidents, significantly reducing assessment time.

Interested in learning more? Get in touch