In Case of a Hack, Investigate Immediately


There’s an old saying that haste makes waste, but when it comes to a cyberattack, speed is of the essence. Hospitals and physicians are facing an onslaught of hackers prying into patient records, and must be ready to react the moment an attack is detected. Delays can damage reputations and lead to government-imposed penalties.

It can take a long time to run a full forensics investigation to determine if any patient records were accessed in a health-care hack, so it’s critical to start right away, Adam Greene, an attorney at Davis Wright Tremaine in Washington, told me. The Health Insurance Portability and Accountability Act requires health-care providers to notify affected patients as well as the government within 60 days of discovering a hack.

The 60-day deadline is a bright line, and there’s not much wiggle room to make a late notification, Iliana Peters, an attorney with Polsinelli PC in Washington, told me. Peters, who served as the Health and Human Services Office for Civil Rights acting deputy director prior to joining Polsinelli, said the 60-day deadline makes it essential for health-care organizations to already have breach-response plans in place.

A four-step plan can help companies prepare for and handle a data breach, Peters said. A first step should be focused on “stopping the bleeding,” she said. Health-care organizations need to find out where the breach is and stop it.

Cooperation with law enforcement is next, and in certain cases law enforcement may ask for a breach notification to be delayed due to an ongoing investigation, she told me.

The final two steps involve working with information-sharing organizations to get the word out about your data breach and notifying patients and the government, Peters said.

Read my full story here.

Stay on top of new developments in health law and regulation, and learn more, by signing up for a free trial to Bloomberg Law.