Incident response plans have been a topic of our show several times. But, these days we just can’t get enough of a good thing!
Actually, there is a reason we are covering it in this episode. I was reviewing a Business Associate Due Diligence from a software provider. In the questionnaire, we always ask if you have a written incident response plan and trained incident response team. They responded Yes, with a comment of “we have an engineering department”.
I can’t accept that as a reasonable response from a CE or BA but especially not one that has access to a large amount of PHI as most software companies do. That had me pondering doing another discussion on Incident Response Plans. On that same day, OCR released their May memo on incident response planning. That same week, I also listened to an interview discussing Incident Response Plans 2.0.
I can take a hint! Incident response plans it is. I started making notes to create an episode on it that day. We haven’t had a chance to get it recorded an out there until now.
Incident Response Plans V2
New Incident Response Plan Memo from OCR
The memo came out in May. It is reminding everyone after WannaCry you should really have a plan in place if you don’t already. (Of course, you do!) The importance of having a plan can not be over emphasized. In the 2017 IBM/Ponemon cost of a data breach study, the number one way to reduce costs of a data breach is to have a plan. Globally that saves $19 per record and in the US that goes up even further to $25.90.
What’s a Security Incident? When is it a Breach?
Security Incident An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. See 164.307
Breach An impermissible acquisition, access, use, or disclosure under the Privacy Rule that compromises the security or privacy of PHI. See 164.402
- Here is where the rubber meets the road. You activate your team when an incident occurs. You expand that activation when you determine there is a potential breach.
- An engineering department will not likely have a clue how to activate your insurance coverage. You know they won’t know what to say to the media!
- We always recommend that you include a plan for responding to privacy incidents as well as security ones. Technically, security breaches become a privacy issue anyway.
Handling an Incident
An Incident Occurs; How’s your Capability to Respond?
An incident policy and different types of contingency plans assist Covered Entities and Business Associates in a proper, concentrated, and coordinated approach to responding to incidents.
- These plans need to be uniquely yours. The location, capabilities, size of an organization, management structure, and much more can all influence exactly how you will respond to any type of incident.
- A contingency plan must include way more than your engineering department. We don’t know how everyone does their job we just know how the computers do THEIR jobs.
- There are many folks who are afraid to share information about what is happening because they don’t want word getting out they had an incident.
- Some people never even think of sharing that information with anyone – more of the “we’re too small” mentality approach.
- Engineers may have the need to share but sometimes their issues involve over sharing the details so you need someone with business sense and technical sense involved.
Incident Response 2.0
- A big part of that interview I listened to discussed the need for more than just tech staff to be involved in even a cybersecurity incident.
- Support Team
- Know your insurance coverage and how to activate it
- Have a plan for how to communicate with each other on the team plus with the board and especially with the entire workforce.
- Media plan is a must have
- Know how to contact the FBI and local law enforcement
- Know how to contact your local OCR office
- Have a team leader on each of the important areas and they should train and plan with their teams.
- Response leader
- Communications leader
- PR for dealing with the media
- Sales and marketing for dealing with your clients
- IT for dealing with investigation
- IT and others for dealing with BC
- IT and others for dealing with DR
- Of course, you need Kardon for helping you juggle all of this!
If this sounds like a lot to have included your incident response plans then you can understand how it might be overwhelming if you are trying to figure it out as you go during a crisis. I assure you that is not the way to handle an incident. Resources are wasted and mistakes are made it you don’t have some idea of what to do and where to turn when these take place.