Getty Images
How to Implement a Cyber Incident Response Plan for Healthcare
Creating a comprehensive cyber incident response plan can help healthcare organizations maintain reputation and patient safety.
Having a cyber incident response plan in healthcare is required under HIPAA, but that does not mean that every healthcare organization actually has a comprehensive and actionable plan tailored specifically to their organization.
When organizations work together cross-functionally to develop and regularly practice a thorough incident response plan, they can mitigate risk and ensure that the plan is functional and applicable to all parties.
“When you don't have a comprehensive plan, there's a good chance that you'll lose track of incidents or that you'll react inappropriately to an incident,” Nathan Salminen, senior associate at Hogan Lovells, explained in an interview with HealthITSecurity.
Salminen helps his clients manage cybersecurity risks, develop security programs, and navigate the rocky legal and reputational consequences that often come along with data breaches.
“As cybersecurity incidents have become higher profile, the universe of companies that have nothing at all in terms of an incident response plan is shrinking. Companies that are still in that space where they have no plan at all are starting to stand out a little bit more and really need to get on top of that,” Salminen noted.
“But what we see more often is companies that have something on paper, but don't really have it down. They have a half-baked plan. And that can carry a lot of consequences.”
The Importance of Having a Comprehensive Incident Response Plan
Under the Security Incident Procedures standard, HIPAA requires covered entities to develop an incident response plan in order to remain in compliance. Covered entities must develop a data backup plan, a disaster recovery plan, and an emergency mode operation plan, among other administrative safeguards.
Although it is a requirement, not all incident response plans are equivalent, and having a plan on paper may not translate to an actionable strategy when a security incident occurs. Healthcare entities should create an incident response plan that is customized specifically to fit their organization’s needs.
The healthcare sector is especially vulnerable because organizations have to work quickly to contain cybersecurity incidents without also disrupting quality patient care. As a result, it can be difficult to quickly contain and respond to cyber threats.
“There are a lot of things that can go wrong in the first couple of hours,” Salminen explained. “Evidence can be destroyed. Communication can be sent out that you wish you could take back, and containment doesn't always go as you would hope. Sometimes, an incident will expand significantly after it's discovered when it could have been averted by using some simple practical measures to contain it.”
Additionally, data breaches are costly and can stain a healthcare organization’s reputation. A recent report from IBM Security and Ponemon Institute found that healthcare data breaches cost on average $9.23 million per incident.
“If you do have an incident and you don't have the right safeguards in place, there is certainly a risk that you'll experience fines and other regulatory activity as well,” Salminen emphasized.
On top of potential fines, healthcare data breaches that impact the protected health information (PHI) of over 500 individuals legally have to be reported to HHS. Once the breach has been reported, it appears on the Office for Civil Rights’ (OCR) data breach portal, which is publicly available.
Considering the potential reputational harm, disruptions to patient care, and exorbitant costs that can result from a healthcare data breach, creating and maintaining a comprehensive incident response plan is worth the effort.
Maintaining Open Communication Between Legal and IT Teams
“The IT and legal action teams don't always work closely together,” Salminen noted. “They each have their own idea of what's important in the world. They have their own skillset. The incident crosses both of those fiefdoms which requires some advance coordination to get right.”
An organization’s legal and IT teams are both essential players when responding to a security incident, which means that they should also work together to create an incident response plan that accounts for the consequences and considerations of both groups.
“For example, when IT is responding to an incident, the team doesn't typically have the company's contractual obligations in mind when they're classifying the risk of an incident. They might not have a full appreciation of the legal stakes,” Salminen mentioned.
“Conversely, legal often doesn't understand the technical reality of a security incident. They might envision a process that is not as technically sound or that doesn't focus on what to do to protect the actual systems of the company. Incident response plan drafting is an opportunity for those two groups to figure out where they need to interact and develop a strategy to take to both sides of the house.”
For an incident response plan to be effective, teams from all disciplines within an organization must collaborate. For example, if an organization shifts from an on-premises data center to a cloud-based storage architecture, the IT team should communicate the change to the legal team and subsequently tweak the organization’s incident response plan to reflect the changes.
“It's really helpful for them to come together at least once a year to review the incident response plan to confirm at the very least that it still fits,” Salminen advised.
Identifying, Tracking, and Containing the Incident
When a security incident occurs, organizations typically want to contain and eradicate the breach as soon as possible. Sometimes, this can lead to hasty decision-making, destruction of evidence, or a loss of critical data. For that reason, it is critical to have a pre-determined incident response plan that walks organizations through a breach response from start to finish with measured steps.
Policies and procedures for identifying, tracking, and containing security incidents are key elements of any incident response plan. While this basic structure may be applicable across all organizations, each healthcare entity’s tactics may look different depending on the critical data that they possess, where the data is stored, and which key players in the organization are to be involved in the response team.
In the event that unauthorized actors get past preventive measures such as antivirus protection and multi-factor authentication, the incident response plan comes into play.
In terms of identifying an incident, organizations should have policies in place for evaluating what is or is not a security incident, where in the lifecycle the incident is when it is discovered, and how to determine whether the suspicious activity is malicious.
Next, organizations should focus on creating procedures for tracking and containing security threats.
“Oftentimes these processes are very informal where someone from the IT or security organization just has it in their head,” Salminen said.
“They talk about it on email, or they mention it in a meeting, but there's no single repository for tracking them. And the result is that incidents can fall between the cracks.”
To avoid further damage, Salminen advised that organizations develop an escalation path, or a procedure that helps to manage decision-making workflows to solve a problem quickly and efficiently. The incident might begin with the IT team, then escalate to a working group, general counsel, or CEO, depending on the severity of the incident.
Creating an escalation path ensures that an incident doesn’t stay in one stage for too long and that the appropriate people are getting involved at the right time.
Implementing a Communications Strategy
Implementing a thorough communications strategy in the event of a breach can help organizations avoid miscommunication with stakeholders and customers.
“Often when you're responding to an incident, part of what you're doing is also creating a legal record that may have significant consequences for the company. The tendency is that legal is one of the last groups to get brought in,” Salminen explained.
“By the time they get brought in, emails may have already gone out to customers or employees, and others may have already conducted a bunch of analysis done that was not conducted under attorney-client privilege."
Healthcare organizations should engage with legal teams to draft breach notification letters to impacted patients and employees. If the breach impacted more than 500 individuals, covered entities are also required to notify prominent media outlets and the HHS Secretary within 60 days of the breach. In addition, covered entities should post a notice on the home page of their website to ensure that impacted individuals are aware of the breach.
Engaging with a legal team for this aspect of an incident response plan can help organizations potentially avoid legal issues later.
Practicing the Plan
Regularly practicing the incident response plan is almost as important as having the plan itself. Organizations should consider developing training programs and doing incident simulations to ensure that relevant parties are prepared for a security incident.
“Some companies may just develop a plan and then make it available on the intranet or maybe email it around, and then that's the last time they mention it. It just goes into a drawer and doesn't really serve a useful purpose,” Salminen said.
“Companies that conduct a tabletop exercise where they're bringing in stakeholders from a lot of different groups and practicing working through an incident tend to react better.”
Implementing technical and administrative safeguards are necessary actions that HIPAA covered entities are required to do. But having an incident response plan and actually using it are two different things. In order to truly be prepared for a security incident, healthcare organizations should regularly practice their incident response plans, encourage cross-functional communication, and ensure that every potential security scenario has a corresponding mitigation strategy.
Regulatory consequences and steep costs are often top-of-mind, but Salminen emphasized that minimizing damage should be the driving motivation for creating a comprehensive incident response plan.
Additionally, when data breaches get out of hand, it distracts healthcare organizations from their primary obligation, which is to care for patients.
“We often overlook the elephant in the room. The best reason to have a robust security program is so that you don't have data breaches and security incidents. The regulatory risks in a lot of ways are secondary,” Salminen concluded.
“Companies that experience a big data breach will usually primarily suffer from the reputational harm, and the costs of responding to and mitigating the attack. Those costs might outweigh the costs of regulatory action by orders of magnitude. So, your best hope from having good incident response plans and proper safeguards is that you'll avoid having the incident in the first place.”