The good news is, you don’t need to start from scratch building your security incident response plan. HITRUST has best practices and rubrics to guide you. ISO standards (ISO/IEC 27035:2016) provide a useful framework from which to start, as well. But it’s just a place to start. Protecting PHI and responding to threats requires an individualized process and plan for each organization.
When I work with our customers, I try to help them document important details, but not get so "in the weeds" that they lose effectiveness in the event of a crisis. I often bring up one of my favorite books, The Checklist Manifesto, where the author speaks of being in an airplane with both engines failing. You have your checklists prepared in advance, just like your incident response plan. You grab the list, and number one on the list is fly the plane. You have to get back to basics and get your organization functioning at full capacity. Make sure your run books are simple and logical. And make sure you have the right people at the table to contribute to your security incident management plan.
Ad Statistics
Times Displayed: 46200
Times Visited: 1302 Ampronix, a Top Master Distributor for Sony Medical, provides Sales, Service & Exchanges for Sony Surgical Displays, Printers, & More. Rely on Us for Expert Support Tailored to Your Needs. Email info@ampronix.com or Call 949-273-8000 for Premier Pricing.
Choose a cross-functional team passionate about security
Security incident management is not isolated to your IT staff and your CTO. Include your CIO, CEO, legal counsel, communications, program or app managers, and DevOps for starters when you’re working on your incident response plan.
You’ll want to divide these people into two working teams. In the event of an incident, the first team are the incident responders – this comprises your IT staff, managed services provider and CTO, at the least. They will follow prescribed and exact steps to go through an analysis phase, building an understanding of what’s happening as they classify findings and lay out facts.
If it looks like it’s going to get serious, you’ll need to escalate and bring in your second team – your executives and legal counsel. This should include your CIO, CEO, CTO, CISO and communications lead. While the incident responders work to identify, isolate and remediate, the other team can be deliberating, documenting and following risk analysis protocols required by the Office for Civil Rights (OCR) to determine whether a reportable incident has occurred. You may also need to include third party suppliers, customers, forensics and law enforcement to ensure your investigation is sound, and communications are in place for your regulators, your patients, and your internal and external audiences.
A rich response notification is required within key timeframes by HIPAA, as well as state regulations. That does not mean the incident responders should announce a breach has occurred. A breach is a legal declaration and the announcement should be relegated to the legal team, not the IT team.
