3 Data Breach Communication Strategies for Skilled Nursing Organizations

When you think about securing your skilled nursing facility – what comes to mind? Locks on prescription drug cabinets, door locks, wander guards or securing your patients’ personal belongings and business office items. But given today’s threat landscape, one of the most insecure areas of your organization has nothing to do with your facility and everything to do with your network. 

Put simply, when it comes to security it’s not a matter of if your organization will be attacked by a criminal hacker, but when you will be attacked by a criminal hacker. Skilled nursing organizations are honeypots of extremely valuable information. How valuable? In 2015, a Dell SecureWorks research report found that while credit card numbers sold for a few bucks a piece on the dark web, health records can be sold for closer to $50 per record on the black market.  

According to The Ponemon Institute, one of the most respected research organizations focused on privacy, data protection and information security policy notes that on average, a breach will cost $355 per stolen record. For a breach impacting multiple facilities, that cost can climb into millions of dollars in a hurry. But it becomes a MUCH costlier experience if you don’t have your ducks in a row when it comes to communications. Creating a plan to properly communicate in a breach situation can help you avoid losing business, paying preventable fines and navigating a minefield of reputation management issues.

But where do you begin? Every healthcare organization is unique, but skilled nursing facilities should consider the following three points when developing a breach communications plan:

1.      The Regulatory and Public Disclosure Clock is Ticking (and Uncle Sam is Watching). In a breach that includes information protected by HIPAA, The HIPAA Breach Notification Rule requires that breached organizations notify affected individuals, Health and Human Services, and in some cases, the media, or another form of public disclosure when a breach involves unsecured Personal Health Information (PHI). In most cases, the clock is ticking on when this disclosure must happen – typically you only have 60 days to issue public notifications. Once notified, be prepared for interest from elected officials (Attorney generals, legislators, governors, etc.)

2.      “Facts” Can Change by the Minute. In a breach scenario, it’s tempting to release the number of records impacted by the breach or other definitive facts. Don’t let yourself get painted into a corner by releasing information that may change over time. The reality is criminal hackers are incredibly sneaky, and it’s more likely than not that the number of impacted files will change throughout the course of your investigation. If the facts you share with the public prove to be untrue over time, you risk an aftershock of broken trust with your residents, their families and your community.

3.      Limit the Number of Cooks in the Kitchen. A breach situation is likely to bring out several executives who will all insist on being a part of the investigation and recovery team. Extra help is great, but in a breach response situation, decisions need to be made quickly and adding too many players can be distracting and lead to slower response times. Your response team needs a leader with decision-making authority and representatives from essential departments including IT, legal, human resources and corporate communications. Outside counsel can be extremely helpful, too – but don’t bring in multiple communications firms, forensics teams and law firms.

Admittedly, the list above only scratches the surface of communications considerations in a data breach situation. Developing a detailed incident response plan to prepare for inevitable data breach situations is the first step.  If you don’t already have a data breach incident response plan in place, that’s where we can help. Trifecta Public Strategies is one of the only communications firms with deep experience navigating the nuances of both the skilled nursing industry as well as the ever-changing data security landscape. We’d love to learn more about your organization and give you the peace of mind that a detailed plan can provide.