The Serious Consequences of Lacking a Breach Response PlanPremise Health CISO Joey Johnson Stresses the Need for Working with Partners in Advance
A lack of incident response planning often leads to an unanticipated series of serious consequences for organizations that experience data breaches, says Joey Johnson, CISO of Premise Health.
The biggest problem with breaches for many entities is "the massive lack of preparedness," Johnson says. "If you are dealing with some kind of persistent threat that's been in your network for 18 months, the best response may not be to panic and shut everything down. You're going to need to understand the pervasiveness of it, what's happening, the ancillary functioning. Sometimes if you take the wrong response it can lead to tipping off the compromising entity, and they're going to shift their tactics, and you're going to have a much harder time."
Who You Gonna Call?
Johnson also stresses the importance of identifying partners with investigative and legal expertise and preparing an incident response plan that can be put into place if a breach occurs.
When organizations experience a breach and they lack an incident response plan, "they're going to call in a forensics group, they're going to call in some legal counsel, and those entities are not going to be prepared to help," he says. "So, you're going to be spending a lot of money very quickly on very high hourly rates under stress and duress. Those entities coming to help have no context of your organization. They don't know who the players are, the systems footprint, so there's a lot of lost time there."
When dealing with a breach that involves protected health information, the forensic investigators and attorneys likely will be accessing that PHI, "so you probably want a business associate agreement with them up front" that spells out expectations for keeping patient data secure, he says. "For many organizations it's a lack of preparedness and not recognizing all the little 'gotchas' that can happen along the way that can get them into a lot of trouble."
In a video interview at Information Security Media Group's recent Healthcare Security Summit in New York., Johnson also discusses:
- Tips for improved vendor risk management;
- Top cybersecurity priorities for 2017.
Johnson, CISO of Premise Health, Brentwood, Tenn., has more than 15 years of cybersecurity experience. Premise Health, a provider of healthcare services to other companies' employees at their worksites, was formed as a result of the merger of Take Care Employer Solutions - a former subsidiary of Walgreen Co. - and CHS Health Services. Johnson formerly served as chief security officer for the U.S. Department of Commerce - Office of Computer Services, and held various security and network architecture roles leading the design and implementation of complex enterprise networks for airports, hospitals, universities and federal agencies.