HHS Stresses Importance of Having an Effective Cybersecurity Incident Response Plan
The Health Sector Cybersecurity Coordination Center (HC3) has published a threat brief that highlights the importance of developing an effective cybersecurity incident response plan. Given the extent to which healthcare organizations are targeted by malicious actors and the number of data breaches now being reported by HIPAA-regulated entities, a successful attack and data breach is now an inevitability. It is no longer a case of if there will be a cyberattack, it is a case of when and how many.
Without a tried and tested incident response plan, valuable time will be lost responding to an attack which not only results in a longer response and higher costs. Inappropriate actions taken in response to an attack could result in evidence being inadvertently destroyed and incident response planning failures may also lead to civil monetary penalties and other regulatory activities, increased reputational damage, extended disruption to patient care, and costly lawsuits.
What is a Cybersecurity Incident Response Plan?
A cybersecurity incident response plan is a written document that has formally been approved by senior leadership that outlines the steps that must be taken when there is a confirmed or suspected cybersecurity incident. The incident response plan can be systematically followed to ensure an efficient response to limit the damage caused and recover in the shortest possible time frame.
The cybersecurity incident response plan clarifies the roles and responsibilities of key personnel in the event of a cybersecurity incident, including employees and third parties. The plan should include contact information for all individuals involved in the response, documented policies and procedures that take a systematic approach to responding to incidents, communication plans, standard protocols, playbooks tailored to the organization and specific types of attacks, the documentation and notification requirements, and plans for measuring the capability and effectiveness of the response so the plan can be improved for future incidents.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The NIST Computer Security Incident Handling Guide
The National Institute of Standards and Technology (NIST) offers guidance for organizations to help them with cybersecurity incident response planning in Special Publication 800-61 R2 – Computer Security Incident Handling Guide. The guidance focuses on detecting, analyzing, prioritizing, and handling incidents, and includes the principles and steps required for an effective incident response plan. The guidance covers the entire incident response lifecycle: Preparation and Planning; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activities.
The Incident Response Lifecycle. Source: NIST SP800-61
The HC3 Cybersecurity Incident Response Plan threat brief outlines the key elements of each of those phases, and CISA has published guidance on incident response plan basics.
An Incident Response Plan is Necessary for HIPAA Security Rule Compliance
The HIPAA Security Rule (§ 164.304) describes a security incident as “The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Under the Security Incident Procedures standard (§ 164.308(a)(6)(i)), HIPAA-regulated entities are required to develop, implement, and maintain “policies and procedures to address security incidents,” and must “identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.” It is also necessary to develop, implement, and maintain a contingency plan – policies and procedures for responding to an emergency, such as a cyberattack or system failure that damages systems that contain electronic protected health information or renders those systems unavailable.
The cybersecurity incident response plan must include a data backup plan, disaster recovery plan, emergency mode operations plan, plans and processes for testing and updating contingency plans, and an application and data criticality analysis. It should also describe how members of the workforce must respond to a security incident and include procedures for mitigating the incident, preserving evidence, documenting the incident and outcome, and evaluating the incident and the response to improve risk management processes.
