Insights From Wapiti

Advice, news and thought leadership from our experts.

Handling Third Party Data Breaches

The following article is from the MagMutual Learning Center. MagMutual, an A rated healthcare liability insurance company, is the malpractice insurance carrier used by Wapiti Medical Staffing. 

Healthcare is one of the most vulnerable industries to cyberattacks. Although most cyber attacks happen because of human error within an organization, more healthcare organizations are experiencing data breaches from third-party vendors. A third-party vendor is an entity contracted with the healthcare organization to provide items or services, such as electronic health record (EHR) systems and IT security systems. Fifty-one percent of organizations across all industries have experienced a data breach caused by a third party.

According to the Ponemon Institute/IBM Security study, healthcare organizations take, on average, 96 days to discover a data breach and 236 days to recover from one. Data breaches in the healthcare industry spiked fifty-five percent in 2020.

With cyberattacks becoming more prevalent, it’s important to have a plan for when you receive notice from a third party of a data breach. This article describes how healthcare organizations should respond when they receive notice of a third-party breach and best practices for how to mitigate the extent of future breaches.

What Should Healthcare Organizations Immediately Do When They Receive Notice of a Third-Party Breach?

Healthcare organizations typically receive notice of a data breach days, or even months, after it actually occurred. The third-party vendor usually sends a letter or email notifying the organization of a data breach. If your organization receives a data breach notice, it should be considered as an important document and maintained in an administrative file after the following steps are taken.

Healthcare organizations should read the notice carefully and assess what information, and to what extent their information, was compromised. It is also important to reach out to the third party that sent the notice if more information about the breach is required, including whether the third party has remedied the breach on its end.

After reading the notice, if the breach is still ongoing, healthcare organizations should activate their incident response plan to mitigate the damage of the breach. If you have not created an incident response plan for a data breach, consider hiring outside counsel to guide the response efforts. PolicyOwners can also review sample incident breach responses on MagMutual’s Cyber Center located within the “My Account” section of your MagMutual online portal.

Steps for Effectively Responding to Third-Party Data Breaches 

1.   Implement an Incident Response Plan

An incident response plan is crucial in responding to a data breach. Implementing an incident response plan effectively requires running routine practice drills of what to do when a data breach happens so that medical staff can act immediately upon notification of a data breach … continue reading

Put Wapiti to Work for You

If you need top-tier healthcare providers for your facility, reach out to Wapiti Medical Staffing today.