Read to learn about incident response plan basics, including how to develop and implement your incident response plan.
This post contains the text from the White Paper: How to Develop and Implement a Successful Incident Response Plan. Download the PDF below.
In a data breach’s aftermath, it’s up to you to control the situation and protect your patients’ personal health information (PHI).
Read this white paper to learn about incident response plan basics, what to include in your incident response plan, how to develop and implement your incident response plan, and how to test your incident response plan’s effectiveness.
It’s important to discover the breach quickly, identify where it’s coming from, and pinpoint what it has affected.
Unfortunately, nearly every organization will experience system attacks, and some of these attacks will succeed.
If breached, you may only be liable for a few of the following fines, or you could be expected to pay even more than the following fines:
A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to normal operations more quickly. If you’re following HIPAA requirements, you should already have an incident response plan prepared and your employees should be trained to quickly deal with a data breach.
Without a plan, employees scramble to figure out what they’re supposed to do, and that’s when mistakes can occur.
An incident response plan should be set up to address a suspected data breach in a series of phases with specific needs to be addressed. The incident response phases are:
Preparation often takes the most effort in your incident response planning, but it’s by far the most crucial phase to protect your organization. This phase includes the following steps:
Identification (or detection) is the process that determines whether you’ve actually been breached by looking for deviations from normal operations and activities.
An organization normally learns they’ve been breached in a few ways:
When a healthcare organization becomes aware of a possible breach, it’s understandable to want to fix issues immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data. Forensic investigators use this data to determine how and when the breach occurred, as well as devise a plan to prevent future attacks.
When you discover a breach, remember:
Your incident response plan needs to be put in motion immediately after learning of a suspected data breach.
After containing the incident, you need to find and modify policies, procedures, or technology that led to the breach.
Malware should be securely removed, systems should again be hardened and patched, and updates should be applied. Whether you do this internally or engage the help of a third party, make sure eradication actions are thorough.
Recovering from a data breach is the process of restoring and returning affected systems and devices back into your environment. During this time, it’s important to get your systems and organizational operations up and running again with confidence your network will withstand the next cyber attack.
After the cause of the breach has been identified and eradicated, ensure all systems have been tested before you re-introduce the previously compromised systems into your production environment.
After the forensic investigation, meet with all incident response team members to discuss what you’ve learned from the data breach, and review the events in preparation for a future attack.
This is when you’ll analyze everything about the breach. Revise your incident response plan by determining what worked well and what failed.
Creating an incident response plan can seem overwhelming. To help, develop your incident response plan using smaller, manageable procedures.
While every organization will need varying policies, training, and documents, there are a few itemized response lists that most organizations need to include in their incident response plans, such as:
Proper communication is critical to successfully managing a data breach, which is why you need to document a thorough emergency contact/communications list. This list should contain information about: who to contact, how to reach these contacts, when is the appropriate time to reach out, and what you need to say.
In this list, you should document everyone that needs to be contacted in the event of a data breach, such as the following individuals:
Determine how and when notifications will be made. Make sure to follow HIPAA Breach Notification Rule requirements.
For example, if you’re a covered entity, your statements must be sent to affected patients by first-class mail (or email if the affected individuals agreed to receiving notices) as soon as reasonably possible. This must be no later less than 60 days after breach discovery. If 10 or more individuals’ information is out-of-date or insufficient (or the breach affects more than 500 residents of a state or jurisdiction), post the statement on your website for at least 90 days and/or provide notice in major print or broadcast media in affected areas.
Covered entities must also notify the Secretary of the HHS about the breach. If a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. If a breach affects 500 or more individuals, covered entities must notify the Secretary of the HHS within 60 days following a breach (if not immediately).
If you’re a business associate, notify affected covered entities after discovering a data breach immediately (and no later than 60 days after discovering the data breach). Identify each individual affected by the breach and send this information to all affected covered entities.
Your incident response team should craft specific statements that target the various audiences, including a holding statement, press release, customer statement, and internal/employee statement. For example, have prepared emails and talking points ready to go after a data breach.
Your statements should address questions like:
Identify in advance the person that will ensure notifications are made in a timely manner and fulfill your state’s specific requirements, such as inside legal counsel, a newly hired breach management firm, or a C-level executive. Your public response to the data breach will be judged heavily, so review your statements thoroughly.
Your system backup and recovery processes list will help you deal with the technical aspects of a data breach. Here are some things that should be included:
This list helps you preserve any compromised data, quickly handle a data breach, and preserve your system configuration. By creating and implementing this list, your organization can reduce further data loss and return to normal operations as quickly as possible.
A forensics analysis list is for organizations that use in-house forensic investigations resources. Your forensic team will need to know where to look for irregular behavior and have access to system security and event logs. You might need multiple lists based on your different operating systems and functionalities (e.g., server, database).
Your forensic team may need the following tools:
However, if your organization doesn’t have access to an in-house experienced computer forensic examiner in-house, consider hiring a forensics firm. Before choosing, vet potential forensic firms with pre-completed agreements. This vetting process helps ensure you get an experienced forensic investigator when you need it.
Your jumpbag list is for grab-and-go responses (i.e., when you need to respond to a breach quickly). This list should include overall responses and actions that employees need to take immediately after a breach. Your list will keep your plan organized and prevents mistakes caused by panic.
Some things to include in your jumpbag list are:
Your security policy review list deals with your response to a breach and its aftermath. This list helps you analyze the breach, and helps you know what you can learn and change afterwards.
Your security policy review list should include documentation of the following things:
You should look at where your security controls failed, and how to improve them. The purpose of this list is to document the entire incident, what was done, what worked, what didn’t, and what was learned.
An incident response plan is only useful if it is properly established and followed by employees. To help staff, regularly test their reactions through real-life simulations (known as tabletop exercises). Tabletop exercises allow employees to learn about and practice their incident response roles when nothing is at stake, which can help you and your staff discover gaps in your incident response plan (e.g., communication issues).
Developing and implementing an incident response plan will help your organization handle a data breach quickly and efficiently while minimizing possible damage.
Start off by identifying and documenting where your organizations keeps its crucial data assets (e.g., a Risk Analysis). You need to assess what data would cause your organization to suffer heavy losses if it was stolen or damaged.
After identifying critical assets, prioritize them according to importance and highest risk, quantifying your asset values. This will help justify your security budget and show management what needs to be protected and why it’s essential to do so.
Determine what risks and attacks are the greatest current threats against your systems. Keep in mind that these will be different for every organization.
For organizations that process data online, improper coding could be their biggest risk. For healthcare organizations that offer WiFi to their customers, their biggest risk may be Internet access. Other organizations may place a higher focus on ensuring physical security, while others may focus on securing their remote access applications.
Here are examples of a few possible risks:
If you don’t have established procedures to follow, a panicked employee may make detrimental security errors that could damage your organization.
Your data breach policies and procedures should include:
Over time, you’ll need to adjust your policies according to your organization’s needs. Some organizations might require a more robust notification and communications plan, while others might need help from outside resources.
Either way, all organizations need to focus on employee training (e.g., your security policies and procedures).
Organize an incident response team that coordinates your organization’s actions after discovering a data breach. Your team’s goal should be to coordinate resources during a security incident to minimize impact and restore operations as quickly as possible.
Some of the necessary team roles are:
Make sure your response team covers all aspects of your organization and that they understand their particular roles in the plan. Each will bring a unique perspective to the table with a specific responsibility to manage the crisis.
Your incident response team won’t be effective without proper support and resources to follow your plan.
Security is not a bottom-up process. Management at the highest level (e.g., CEO, VP, CTO) must understand that security policies–especially your incident response plan–must be implemented from the top and be pushed down. This is true for organizations from dentist offices to multi-winged hospitals.
For larger organizations, executives need to be on board with your incident response plan. For smaller organizations, management needs to be okay with additional funding and resources dedicated to incident response.
When presenting your incident response plan, focus on how your plan will protect your patient’s data and benefit your organization.
The more effectively you present your goals, the easier it will be to obtain necessary funding to create, practice, and execute your incident response plan.
Just having an incident response plan isn’t enough. Employees need to be properly trained on your incident response plan and know what they’re expected to do after a data breach.
Employees also need to understand their role in maintaining company security. To help them, employees should know how to identify attacks such as phishing emails, spear phishing attacks, and social engineering efforts.
Test your employees through tabletop exercises (i.e., simulated, real-world situation led by a facilitator). Tabletop exercises play a vital role in your staff’s preparation for a data breach. These exercises help familiarize your employees with their particular incident response roles by testing them through a potential hacking scenario. Later on in this white paper, tabletop exercises will be discussed further.
After testing your employees, you can identify and address weaknesses in the incident response plan and help your staff see where they can improve, with no actual risk to your organization’s assets.
In a discussion-based table exercise, you and your staff discuss response roles in hypothetical situations.
A discussion-based tabletop exercise is a great starting point because it doesn’t require extensive preparation or resources, while still testing your team’s response to real-life scenarios without risk to your organization. However, this exercise doesn’t fully test your incident response plan or your team’s response roles.
In a simulation exercise, your team tests their incident responses through a live walk-through test that has been highly choreographed and planned.
This exercise allows participants to experience how events actually happen, helping your team better understand their roles. However, simulation exercises can require quite a bit of time to plan and coordinate, while still not fully testing your team’s capabilities.
In parallel testing, your incident response team actually tests their incident response roles in a test environment.
Parallel testing is the most realistic simulation possible and provides your team with the best feedback about their roles. However, parallel testing is more expensive and requires more time planning than other exercise because you need to simulate an actual production environment (e.g., systems, networks).
Before conducting a tabletop exercise, determine your organization’s needs by asking:
Next, design your tabletop exercise around an incident response plan topic that you want to test. Identify any desired learning objectives or outcomes. From there, create and coordinate with your tabletop exercise staff (e.g., facilitator, participants, and data collector) to schedule your tabletop exercise.
When designing your tabletop exercise, prepare the following exercise information:
After conducting a tabletop exercise, set up a debrief meeting to discuss response successes and weaknesses. Your team’s input will help you know where and how to make necessary revisions to your incident response plan and training processes.
If you don’t already have an incident response plan, creating one should be your top priority. Next, regularly practice and review your plan with executives and staff. Without regular tabletop exercises and simulation trainings, your incident response team (and staff)w can make poor decisions which may make breach impact worse.
A data breach can be an organization’s most stressful situation it ever handles, but it doesn’t have to be the end of your organization. By following your incident response plan, you’ll be ready to stop patient data theft and restore operations as quickly as possible.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.
.svg)
