By Ty Greenhalgh

The recent ransomware attack on UnitedHealth Group’s Change Healthcare unit has underscored a crucial aspect of cybersecurity in the healthcare sector: breach notification processes. Federal regulators have authorized Change Healthcare to reach out to affected individuals, and the company has begun sending out notification letters. This situation raises an important question for the healthcare industry. Should breach notification responsibilities lie with healthcare providers, or should they be managed by the breached third parties, especially given the sector’s limited resources? 

In light of such breaches, it’s becoming increasingly clear that shifting the responsibility for breach notification delivery to specialized third parties offers several practical advantages. This approach not only alleviates the burden on healthcare providers but also enhances the effectiveness and timeliness of breach responses. Here’s why third-party management of breach notifications could be a more practical solution:

Expertise and Timeliness

Specialized third-party entities excel in breach notifications due to their extensive experience and expertise. These organizations are well-versed in the complex regulatory landscape and communication strategies required for effective breach management, which can be overwhelming for healthcare providers.

By delegating these tasks to specialists, healthcare organizations can ensure that notifications are handled efficiently and in full compliance with legal requirements. These firms are also adept at managing the intricacies of breach notifications, including drafting clear and accurate communications, providing timely updates, and meeting all regulatory obligations. This reduces the risk of delays and inaccuracies, which are vital for maintaining trust and avoiding potential legal issues.

Reducing Provider Burden

Healthcare providers are primarily focused on delivering patient care and maintaining essential services. The administrative task of managing breach notifications can divert valuable resources and attention from these core functions. By outsourcing breach notification responsibilities to third parties, providers can concentrate on their primary mission: offering high-quality patient care. This division of labor allows healthcare organizations to remain focused on their core responsibilities, while leaving the complex and often resource-intensive task of breach notification to those best equipped to handle it.

Enhancing Healthcare Cybersecurity

Maintaining robust cybersecurity is a significant challenge for many healthcare providers, especially hospitals and smaller practices with limited resources. Expecting these organizations to manage breach notifications in addition to their cybersecurity responsibilities can strain their capabilities and potentially weaken their overall security posture.

Third-party management of breach notifications ensures compliance with legal requirements while allowing healthcare providers to focus their resources on strengthening their cybersecurity defenses and addressing vulnerabilities. This strategic focus on core competencies can lead to improved overall cybersecurity and better protection of patient data.

Maintaining Trust

Trust and transparency are crucial in the aftermath of a data breach. Affected individuals need clear, consistent, and timely information about the breach and its implications. Third parties specializing in breach notifications are well-positioned to provide comprehensive updates and manage communications effectively. By handling notifications with transparency, these third parties can help maintain and even enhance trust with affected individuals. Transparent communication fosters a sense of accountability and reassurance, demonstrating that the breach is being managed responsibly and that individuals are kept informed throughout the resolution process.

Advocating for a shift towards third-party management of breach notifications in healthcare could significantly enhance the efficiency and effectiveness of response efforts. By leveraging the specialized knowledge and resources of third parties, healthcare providers can focus on delivering patient care while ensuring that breach notifications are handled with the necessary expertise and timeliness. This strategic approach not only optimizes operational focus but also strengthens the integrity of breach response efforts, ultimately supporting better outcomes in the face of evolving cyber threats.

Ty Greenhalgh is industry principal for healthcare at Medigate by Claroty. Questions and comments can be directed to [email protected].