When it comes to tornadoes, hurricanes, or other natural disasters, most health care organizations have a practical response plan, one that’s practiced regularly and updated as needed. But when it comes to a cyber-attack, a missing or stolen laptop, or a curious vendor who helps himself to protected health information (PHI) files, does your organization have a swift, practiced, and updated response plan?
Having a formal incident response and management plan in place and ready before you need it is crucial to information security. Here are some vital elements to consider for ensuring your plan covers all the fundamentals:
- Define incidents. Workers can’t always identify an incident unless it’s clearly defined. Some incidents are obvious (“My computer has a virus!”), but others are not as obvious (“That person is accessing PHI, so they must have the proper clearance, right?”). As you develop your plan, broadly define what incidents are, but also spell out the many scenarios that qualify as incidents. Give your workers a clear picture of what an incident might look like.
At the same time, be sure your organization recognizes the difference between a security incident and a data breach, the latter requiring immediate notification to the Office of Civil Rights (OCR) and to the people whose information was compromised within specific defined time periods as defined under the Health Insurance Portability and Accountability Act (HIPAA). A data breach is a serious incident whereby PHI has in some way been compromised. A security incident is usually any other event that results in the inadvertent access or compromise of systems and/or information not classified as PHI, a hacking attempt, malicious software, an attempted breach of the network perimeter, etc.
- Establish reporting guidelines. Once workers know how to recognize security incidents, they need to understand how to report them. Make reporting easy. It can be as simple as completing an online form or calling a 24/7 hotline. In addition, be sure to educate staff about the importance of reporting the incident in a timely manner.
- Determine responses based on the type and impact of incidents. The many types of security incidents and breaches differ and vary in their degree of severity. Organizations should recognize the unique differences and respond accordingly. For example, responding to a virus or cyber-attack requires a much different response than would be required for a lost laptop. Those differences will also determine which key members of an incident response team—from security and IT operations to HR and PR to legal—should be involved in responding to which events.
- Consider your containment efforts. Every plan must outline how and what will be done to limit exposure. Cyber-attacks require an immediate response and potential shutdown of services to limit the exposure or damage to other internal resources, whereas experiencing an insider or vendor stealing or inappropriately viewing PHI may require disciplinary action or termination. Timely reporting and early response cannot be overstressed.
- Include remediation, also called recovery. Your plan should include measures that address the most immediate aftermath needs (for instance, cleaning up computers post-virus), but also include a review or risk analysis of the circumstances leading up to the incident to determine what steps or improvements are needed to prevent a similar incident/breach in the future.
- Remember reporting. Here again, the type of incident will determine the degree of reporting; there are specific and regulatory-mandated requirements for reporting the most serious of incidents, a data breach. They include notifying state and federal officials, regulators, employees, patients, and even the public.
What’s your plan?