Six Steps to Effective Healthcare Data Breach Response

Healthcare organizations must adapt to evolving cybersecurity threats with a focused data breach response plan. In 2025, reducing risk and ensuring compliance are key priorities.

The healthcare and public health sector continues to face rising data breach costs, up to USD 10.93 million globally as organizations bear direct costs to investigate, contain and pay regulatory fines as well as indirect costs related to loss of trust and patient churn. As the compliance landscape continues to evolve, with new revisions to HIPAA, revisions to CFR 21 Part 11, state privacy laws, and even upcoming changes to PCI DSS, healthcare organizations must also navigate new requirements to protect data, systems and services.

In a recent example, Atlanta-based Managed Care of North America (MCNA) Dental exposed the data of nearly 9 million patients, with exfiltrated data leaked to the dark web by the LockBit ransomware group. Mid 2023, HCA Healthcare also announced a breach impacting as many as 11 million patients across 20 states.

Increasingly, malicious actors are targeting healthcare organizations with the intention to disrupt or hold medical records hostage, a tactic that increases pressure to pay a ransom in order to ensure patient safety and care delivery. Today, organizations fall victim to a ransomware attack every 11 seconds—by 2031, it will be every 2 seconds. While 42% of healthcare organizations pay a ransom to recover data, the confirmed amount of data being compromised by ransomware in healthcare continues to rise.

Today, it takes an average of 277 days to identify and contain a data breach—204 days to identify and 73 days to contain. The takeaway here for healthcare organizations is not only the need to reduce risk of attack and breach with improved cyber hygiene practices, but also to reduce mean time to response after incidents are detected. How a healthcare organization responds to a data breach can have a significant impact on both cost and consequences, including reputation and compliance penalties.

Like every organization, the introduction of remote work and increasing supply chain vulnerabilities has simply reinforced that perimeter-based security controls are no longer enough. Effective handling of a healthcare data breach begins by acknowledging the new software-defined perimeter and the need for Zero Trust and better visibility over endpoints, in order to improve detection and response activities.

Steps for Effective Data Breach Response

Recognized as a global standard for cybersecurity practices, the National Institute of Standards and Technology has created several guides to assist healthcare organizations in complying with HIPAA and in mapping these to the widely-accepted NIST Cybersecurity Framework (CSF). Response is one of the five pillars of the CSF, guiding organizations on the appropriate steps to take if a cybersecurity incident is detected to help contain the impact of the incident.

Further, NIST breaks down the Response activities into five sub actions:

1. Response Planning. The creation of response processes around incident handling and response as well as system recovery, business continuity, and tracking.
2. Analysis. Activities to identify and respond to suspected or known security incidents with forensic analysis, impact analysis.
3. Communications. Communication activities to key stakeholders, law enforcement, and external regulators, if conditions are met for breach of data security or privacy laws.
4. Mitigation. Activities that can help prevent a security incident from escalating to a data breach.
5. Improvements. Investigating security incidents is vital to learn from mistakes, question assumptions, evolve security controls, and apply any knowledge gained from the experience to improve people, processes or technology to be more resilient from future attacks.

However, if any cyber attack occurs, activities will be hyper focused on steps 2 through 4, where the actions being taken can be the difference between a simple security incident and long-term reputational and financial damage. Therefore, we’ve broken down these steps even further, helping healthcare organizations develop a clear, 6-step plan to effective data breach response.

Outlined in our Effective Healthcare Data Breach Response whitepaper in detail, these steps include:

1. Activate your response plan of action
   To build on our whitepaper, regulations have reinforced that how an organization responds is critical both to public perception, fines and overall cost. Breaches that have longer identification and containment times (over 200 days) cost $1.02M more than those under 200 days.
   
   By implementing a CSF, formalized security teams have time to plan and implement appropriate tools to monitor and respond to security incidents, including the deployment of persistent connections to all devices that store, transmit and process data to support continuous monitoring and detection.
2. Limit the damage
   When an incident occurs, confidence in your ability to know what happened and which data was breached is vital. Today, 82% of breaches involve data stored in the cloud, with remote work still positively correlated with higher than average data breach costs.
   
   With the right technology and processes implemented, it is possible to create forensic documentation to prove encryption was in place and that steps have been taken to mitigate or contain the risk (e.g. remotely delete data, isolate devices, push control changes).

3. Understand the regulations
   The compliance landscape is constantly shifting, with each regulation imposing its own requirements for communication of security incidents or data breaches. For example, as artificial intelligence (AI) gains attention within healthcare and we see notable breaches related to AI, new regulations are expected (and encouraged by the new Executive Order). Further, the proposed Cyber Incident Reporting for Critical Infrastrucgture Act of 2022 will create a new 72-hour window of reporting for any incident, regardless of breach status.
   
   
4. Collect, document and analyze evidence
   Find out what happened and document all the evidence. As more and more healthcare organizations rely on remote work (up to 25% of the workforce) and portable shared devices, ensuring that persistent connection to endpoints can support an audit-ready posture.
   
   
5. Determine the extent of the damage
   Healthcare organizations must meet the burden of proof to determine if a breach notification is required and to coordinate response activities, often with the support from external investigators, law enforcement agencies and/or cyber insurers. The extent of the damage can be mitigated with proof of encryption and proof that other protection measures were in place and untampered at the time of an incdent.
   
   
6. Send compliant notifications
   In admitting that “some data” was exfiltrated, NHS left patients with more questions than answers. Stakeholders (the public and regulators) want to know details of what happened, who was affected, what kind of data was accessed and by whom. Some incidents will not meet the burden of a notifiable breach, though organizations may still choose to report security incidents and how they have been handled.

Implementing a comprehensive, risk-based compliance strategy is pivotal for healthcare organizations who know that compliance alone doesn’t equal protection and that today’s era of care demands more. Absolute is uniquely positioned to help healthcare organizations across all five pillars, providing an unbreakable conneciton to endpoints to help quantify risk, ensure security controls in place are resilient, respond quickly, and recover faster.

Get the NIST Cybersecurity Framework Evaluation Guide here. 

Learn more about Absolute's security solutions for healthcare here.