Bowtie Confidential: Preparing for the Inevitable Breach 2/7/12

You may be one of the fortunate healthcare organizations that have not experienced a breach in security or inappropriate access to Personal Health Information (PHI.) However, when you least expect it, it will happen to you.

You cannot prevent breaches, but you can take reasonable measures to prevent them, and create a plan to respond rapidly and appropriately. A poorly contained and failed response has the potential to cost millions through penalties, lost business, and ruined reputations. A well-executed plan can save your organization from these consequences.

If you haven’t already, it is important to create an incident management process. I suggest using the business impact analysis model, which will identify the potential risks and threats to the organization.

Here are eight steps organizations should take to develop an incident response process, each reflecting an area of the incident response management cycle.

1. Risk analysis. Prior to developing the plan, the organization needs to understand the business – operations, processes, etc. – and identify the high-impact risks that must be mitigated. From who or what is your organization trying to protect the assets?
2. Threat analysis. Also prior to implementing a plan, a thorough understanding of the IT infrastructure is needed to identify the “single point” of failure and other potential weaknesses. Where and how does your organization capture and store the most sensitive data? Perform a workflow and data flow analysis to determine this. Which systems and networks are the most vulnerable to attack?
3. Security policy mapping. Security should be deployed throughout the organization to mitigate known threats, risks, and vulnerabilities to the extent possible. Assess on an ongoing basis the risk and threat analyses results and compare them to existing security controls. Are there sufficient procedures in place? Are they securing the right things? Procedures should apply appropriate levels of structure to the security controls based on the potential threat and associated impact.
4. Incident response policies and procedures. When breaches happen, the organization will need to identify and classify the incident according to appropriate criteria. Then the organization must initiate the response team, contain and stop the incident, gather appropriate incident evidence/data, if applicable, restore operations, notify individuals as necessary, and determine the course of action the organization will undertake. External organizations, patients, physicians, and regulatory agencies will want to see that plans are in place, rapid response to address the exposure was taken, and affected patients/people were notified.
5. Testing. Testing will validate and confirm the organization’s capabilities, provide training and awareness to the response team and illustrates responsibilities, and highlight weaknesses or invalid assumptions. If you don’t test, you won’t be prepared. It is highly recommended that testing of the incident response process be conducted minimally twice per year.
6. Review and update. Post-test or post-incident debriefings are essential. Validate the plan and update it if necessary.
7. Create an incident response team. A breach can happen anywhere inside or outside of the organization. Therefore, it is important that the response team be a cross-functional group – including outside professionals and vendors if necessary. Potential team members would include organizational leadership, information security / risk management / compliance staff, IT staff, operational staff (business, financial, and clinical,) legal staff, corporate / organizational communications staff, and external professionals such as forensic analysts, notification providers, etc.
8. Training. Once a plan and team is in place, the next most important component of a good incident response plan is employee training. The alacrity with which a breach is reported to the response team can make a substantial difference in the impact. Train employees on the basics of security, how to identify a breach, and most importantly, what to do and who to contact when an incident is identified.

Incident response and management is a top strategic priority. It is better to be proactive now than to perform damage control later around reputation, penalties, and patient care.

Rob Drewniak is vice president, strategic and advisory services, for Hayes Management Consulting.