OCR recently sent out a message on their listserv asking if your CE or BA was ready for an incident. We have been discussing security incidents a lot lately so it is nice that OCR has brought it up. Because we have seen various Incident response reports recently, so we were working on an episode anyway. So this episode is a review of Security Incident Response Plan development.
Let’s first be clear, this isn’t just about HIPAA. We also have been reviewing the Economist Intelligence Unit 2013 (EIU) report: Cyber incident response: Are business leaders ready?, which is asking the very same question.
There are plenty of other sources that will tell you the same thing. You need a plan. Not just a policy that says you will respond to a breach. You need a real plan where people know who is involved and they all have a clue what to do.
What is an Security Incident Response Plan?
Security incident response plans should include details and assignments for how your organization will address an incident. They should tell you how to detect and determine the situation, how to contain the situation, how to correct the situation, and how to recover anything that was affected by the incident. You should also review incident responses to make sure the plan was followed correctly and to determine if it can be altered for the better.
More specifically, your security incident response plan should explain the following:
- What management and staff do if they think an incident occurs
- Who will evaluate and determine if there is an actionable incident and activate plan
- How will you limit the damage in the fastest way
- How will you find the source of the problem and clean it up
- How will you recover from the incident and make sure you are all clear
- Who will make sure that what you learned will be reviewed and changes made to what you are doing as well as to the response plan, if needed
These procedures are all about making a plan to minimize the damage caused and the time it takes to address an incident when it occurs. Remember it isn’t IF you have an incident, it’s WHEN you have an incident.
What does building a Security Incident Response Plan involve?
First, we need to understand what the following acronyms stand for:
- Incident Response Plan (IRP)
- Breach Response Plan (BRP)
- Computer (or Cyber) Security Incident Response Team (CSIRT)
- Incident Response Team (IRT)
You must get the management to buy-in to the plan. Their support is vital, without it all of the plans will fail. You also need to define what is considered an incident and who makes those decisions.
Next, there needs to be definite roles and responsibilities of the team:
- Internal and External team members
- Management lead to communicate between team and decision makers
- Tech team
- Documentation management
- Defining the message for the staff
After that, you need to make sure that the team can communicate with each other:
- Provide a list of contact information for all resources
- Team members
- Insurance carrier contact info
- Ensure they know how to activate a claim
- Law firm
- Be sure to put it under privilege quickly
- Law Enforcement
- Local OCR contacts
- Be sure to put it under privilege quickly
Finally, make a list of procedures for several types of incidents and how to take action to deal with them. Some examples of types of incidents that may happen include:
- Ransomware attack
- Phishing attack
- Theft or Loss of equipment
- Unauthorized system access
- Insider issues
- Security failures
Regular team training and plan testing is vital for the success of your security incident response plan, because roles and circumstances can change often.
What does OCR say
To be a compliant business, you need to have a plan for security incidents. This means how do you prepare for incidents and how do you detect and analyze incidents. Also, it should tell how to contain, eradicate and recover from incidents and how to conduct post-incident activities and reviews.
Finally, the incident response team should discuss with its entity’s public affairs office, legal department, and management about sharing information with external groups. Covered Entities and Business Associates are often required to communicate with external parties regarding an incident and should comply whenever applicable. External parties could consist of federal agencies, law enforcement, media, internet service providers (ISPs), vendors, or other incident response teams.