Here is the latest monthly blog from the HIMSS Privacy and Security Committee…called PSST! Keep reading to learn more about this month’s topic –Best Practices in Cyber Incident Response, by HIMSS Privacy and Security Committee Chair Person Jeff Bell, CISSP, GSLC, CPHIMS, ACHE, Director, IT Security and Risk Services, CareTech Solutions.
In April of 2015, the U.S. Department of Justice (DOJ) Cybersecurity Unit released a guide “to assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident.” The 15-page paper is entitled: Best Practices for Victim Response and Reporting of Cyber Incidents v 1.0. It “reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents.”
This guidance from DOJ could not be timelier for healthcare organizations and business associates as we find ourselves falling victim time and again to highly-skilled cyber attacks. We all know that an incident response plan is important and valuable. Having a written plan provides you with a roadmap of what your organization’s policy is and what procedural steps must be taken for incident response by appropriate personnel. In fact, the HIPAA Security Rule requires the implementation of policies and procedures to address security incidents. But if you haven’t gotten around to developing one, or if yours is just shelf-ware then check out the DOJ paper. I think you will find it insightful and practical. It clearly explains how and when to engage with law enforcement.
My most important recommendation is to read the DOJ paper and use it to develop or improve your own incident response plans. The following is an outline, extracted from the DOJ paper, on best practices for incident response and reporting of cyber incidents:
Steps to Take Before a Cyber Intrusion or Attack Occurs
- Identify Your “Crown Jewels”
- Have an Actionable Plan in Place Before an Intrusion Occurs
- Have Appropriate Technology and Services in Place Before An Intrusion Occurs
- Have Appropriate Authorization in Place to Permit Network Monitoring
- Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident Management to Reduce Response Time During an Incident
- Ensure Organization Policies Align with Your Cyber Incident Response Plan
- Engage with Law Enforcement Before an Incident
- Establish Relationships with Cyber Information Sharing Organizations
Responding to a Computer Intrusion: Executing Your Incident Response Plan
- Step 1: Make an Initial Assessment
- Step 2: Implement Measures to Minimize Continuing Damage
- Step 3: Record and Collect Information
- Step 4: Notify
What Not to Do Following a Cyber Incident
- Do Not Use the Compromised System to Communicate
- Do Not Hack Into or Damage Another Network
After a Computer Incident
- Remain vigilant for follow-on attacks
- Do a post incident review
The paper ends with a short Cyber Incident Preparedness Checklist.
The DOJ paper does not provide sector-specific advice. Healthcare organizations need to supplement the DOJ guidance to create an incident response plan which describes not only how to investigate the incident, document and report findings, mitigate any harmful effects and monitor for any continuing malicious activity, but also describes how the organization will continue to operate safely and minimize any adverse impact on patient care and continuity of care during the incident, and how it will return to normal operations. These procedures may already be documented in a business continuity plan or downtime procedures. Moreover, to the extent that the security incident rises to the level of a breach, your organization will need to follow its breach notification plan to comply with the requirements of the HIPAA Omnibus Rule, as well as any other applicable state and federal laws. If you need additional information about the breach notification requirements in the HIPAA Omnibus Rule, you may find the following resources helpful:
- HHS guidance on the Breach Notification Rule
- The ONC’s recently updated Guide to Privacy and Security of Electronic Health Information (See Chapter 7: Breach Notification, HIPAA Enforcement, and Other Laws and Requirements)
- HIMSS whitepaper: Breach Notification Guidance under the HIPAA Omnibus Rule
Stay tuned for our future PSST! blog posts by the HIMSS Privacy and Security Committee, including upcoming featured posts on incident and breach response as well as vendor risk management.