Events , Governance & Risk Management , HIMSS

Conducting Incident Response Exercises

Postmortems of High-Profile Breaches Help Improve Response
Conducting Incident Response Exercises
Mark Dill of Cleveland Clinic

Recent mega health data breaches, including the Anthem Inc. hacking attack that affected 78.8 million individuals, provide good opportunities for other covered entities and their vendors to review their own incident response plans, say security experts speaking at a HIPAA workshop during the HIMSS 2015 conference in Chicago.

See Also: The Dark Side of AI: Unmasking its Threats and Navigating the Shadows of Cybersecurity in the Digital Age

"You should constantly be scanning what's happening at other entities, and do a postmortem with your own organization to see how you'd deal with the incident," advises Rita Bowen, senior vice president of health information management and privacy officer at Healthport, a provider of health information release services, which acts as a business associate to covered entities.

For instance, in reviewing what's known about the recent Anthem hack attack, or the 2013 breach at Advocate Medical Group in Chicago involving the theft of four unencrypted computers containing data for about 4 million patients, organizations can get additional insight into what they might need to do to improve their incident response, as well as breach prevention efforts, Bowen says.

Among the questions to consider in a postmortem analysis of an incident are:

  • What was threat involved in the incident?
  • What was the vulnerability?
  • What safeguards should have been in place?
  • What processes could have been carried out better?
  • What incident response best practices could've been helpful if implemented?
  • What resources could've been used to avoid the incident scenario?

Avoiding Mistakes

Postmortem analysis of incidents, whether an organization's own or those that occurred at other entities, also helps shine a spotlight on mistakes to avoid.

In analyzing the Advocate breach, organizations need to ask themselves, "what were 4 million patient records doing on workstation computers in the first place," and do those other entities have similar risks, says Tom Walsh, CEO of consulting firm tw-Security, during a discussion at the HIMSS 2015 Conference workshop, "Navigating the Practical and Legal Aspects of HIPAA."

Circumstances in the Advocate breach, for instance, can be a good opportunity for other organizations to reassess their own encryption policies, and "whether they encrypt everything, and if they don't, do they have the important documentation of why they decided not to encrypt," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. If an organization is investigated by the Department of Health and Human Services' Office for Civil Rights in the wake of a breach, it's important that the entity has such documentation if the incident involved an unencrypted device, he says.

Write a Playbook

Mark Dill, director of information security at the Cleveland Clinic, says a post-mortem analysis of incidents that occur within a covered entity, as well as mock postmortems of high-profile breaches that happen elsewhere, can help entities fine-tune their incident response to all types of breaches.

But to be prepared in advance for responding to incidents, Dill suggests organizations have a playbook for dealing with each of the common types of breaches, whether it be lost or stolen devices, a hacking attack or human error.

"Put in writing everything that you will need for incident response," he says. The playbooks Dill uses at Cleveland Clinic are seven- to 10-page documents "that are quick-reads, designed to be read in an emergency - keep one in your car, at home," he says. The playbook should include reminders about which departments, such as IT, legal and human resources, need to be pulled quickly into incident response, as well as how to contact law enforcement and third-party incident response vendors.

"Time is of the essence," he says.

Dill also advises conducting tabletop incident response exercises periodically, including those involving more than one playbook at once, so that members of the response team can be better prepared for dealing with various scenarios that can occur, and plans can be modified.

"You can't improve what you don't measure. That's why tabletop exercises are so important."

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.