Home

  • Home
    • » e-Newsletters

Prepare ahead of time for security incidents

HIPAA Training Advisor, December 28, 2006

Section 164.308(6) of the security rule requires your organization to establish policies and procedures that address security incidents. Tailor your plan to your facility's needs by revisiting the policy and examining past incidents. And use your imagination. Just because a particular breach scenario hasn't happened doesn't mean it won't.

Getting caught off-guard means you're more likely to conduct incident-response the wrong way, by "panicking and pointing fingers," says Kevin Beaver, CISSP, an Acworth, GA-based security consultant. Prevent knee-jerk incident response by implementing and testing a comprehensive policy, Beaver says. Your policy should include the following items:

  1. Overview-A summary of the policy and a list of employees responsible for incident response. These employees will vary depending on the organization but should include compliance, privacy, and information security officers, as well as representatives from the human resources, marketing/public relations, and legal departments, says Reece Hirsch, partner at Sonnenschein Nath & Rosenthal LLP in San Francisco.
  2. Preparation-A description of your readiness to respond to incidents.
  3. Detection-A definition of what constitutes an incident and the tools your organization uses to detect them.
  4. Investigation and containment-An outline of the specific steps to take and tools to use after detecting an incident.
  5. Eradication-A description of how to deal with the breach. Steps to take might include disconnecting the network connection from a computer you suspect is infected, reformatting drives, changing all passwords, and scanning for vulnerabilities.
  6. Recovery-Instructions for bringing systems back online and monitoring for repeat attacks.
  7. Following up-A process for determining what the organization could have done differently. You should recommend and implement changes to administrative, technical, or physical safeguards.
  8. Calling tree-Contact information for the incident response team members.
  9. Testing-A procedure for testing and improving the policy.
  10. History-Notes on previous incidents and changes.
  11. Revisions-Past versions of the incident response plan.
  12. Diagram- current network diagram showing all network hosts and their configuration information.

After building the incident response plan, test it. "Organizations simulate a breach-such as a virus outbreak or a disgruntled former employee who has broken into the electronic medical records system (EMR)-and see how users and the response team respond," Beaver says. Perform these simulations yearly. Also, if you plan to outsource your incident-response, make external arrangements before a breach occurs.

In addition, your plan needs to include consideration of laws besides HIPAA, Hirsch says. Pay special attention to state security breach notification laws (e.g., California's SB 1386) that might require you to notify the victims of an incident.

Handle the unexpected
Although preparation can help you properly handle incidents, it can only do so much. The many ways in which a healthcare organization's workforce uses information means that you might encounter incidents for which you are unprepared, says Lisa McCusker, corporate compliance and privacy officer at Sisters of Providence Health System in Springfield, MA. During her career in healthcare, McCusker has dealt with a variety of security incidents, including employees inappropriately transferring PHI to their personal computers for use at home and using EMR systems to lookup fellow employees' records.

It's hard to discover these kinds of violations, McCusker says. "You don't usually find out about them until someone says, 'Gee, what's he doing?' "

However, you can't leave organizational compliance to chance. You must do whatever you can to monitor for incidents that might otherwise go unnoticed. For McCusker, this means regularly assessing systems, access controls, and the organization's environment. "You've got to be more visible. You have to tour the units and do a security assessment of your organization," she advises.

This includes assessments of the organization's technical and physical environments. Security log audits that target access to the records of employees and of patients with similar last names can help you catch inappropriate EMR access. And regular walk-arounds can tip you off to other violations.

For example, you might find that few employees use the organization's computer stations or kiosks and that several workforce members carry laptops. In this case, question whether the organization issued the laptop and what information it contains. If it turns out that the employees are using personal laptops to store confidential information, begin your incident response immediately. In addition to wiping the drive of your organization's data, make sure to keep a copy of it for documentation purposes. "That way, if you are ever asked to produce the data off the drive, you have properly documented and recorded it. This also makes it easily retrievable," McCusker says.

Executing these precautions requires a clear head during crisis. Slow down to avoid making mistakes, Beaver says. "Refer to your plan and document everything along the way."

Editor's note: Adapted from "Prepare ahead of time for security incidents," Briefings on HIPAA, December 2006.

Most Popular