Embed Size (px)
Citation preview
Sixth HIPAA Summit WestOctober 11, 2012
Chris Apgar, CISSPCEO & President
Incident Response: Incident Response: Are you ready?Are you ready?
OverviewOverview
• Why You Need an Incident Response Plan (IRP)• Regulatory(Federal & State) & Business Requirements
• Steps to Develop & Document a Working IRP
• Why & How to Test a Working IRP
• Tools and Resources for Your IRP• Questions & Answers
Why You Need an IRP?Why You Need an IRP?
• IRP is a required HIPAA Security Rule standard for covered entities (CE) and business associates (BA)
• Requirement much broader than breaches of confidential
data
• Breach Notification Interim Final Rule requires
investigation, incident risk analysis & burden of proof
• Required breach notifications (individual, media,
OCR)
• Includes electronic and non‐electronic PHI breach• Enforcement and Audits by OCR
Regulatory Requirements (federal)
Why You Need an IRP?Why You Need an IRP?
• Most states require implementation of
administrative, physical and technical safeguards –
including incident response process• Most states require breach notification –
unencrypted electronic personally identifiable
information (PII)• Some states such as Texas and California require
notification if breach of PHI & some may include non‐
electronic PII/PHI• State breach laws imply incident investigation,
notification and mitigation
Regulatory Requirements (federal)
Why You Need an IRP?Why You Need an IRP?
• Mission and community commitment
• Patient/customer safety
• Protection of institution’s reputation• Avoiding loss/churn of patients/customers
• Job expectation and security• Prevent breaches before they happen and limit harm
Business Requirements
Why You Need an IRP?Why You Need an IRP?
• Minimizing financial exposure from:• Federal penalties for non‐compliance or “willful”
neglect
(knew or should have known)
• Penalties up to $50,000 per incident/up to $1.5 million
per calendar year for same type of incident
• State penalties for non‐compliance over and above
federal penalties
• State attorneys general may enforce HIPAA/HITECH in
federal circuit court
• Civil suits
Business Requirements
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Executive Sponsorship• Defining Cross Organizational Goals• Defining Scope of IRP• Resource Commitments (cross‐functional)
• Plan Ownership & Team Leadership
• Roles & Responsibilities (Board, Management, Staff)
Goals & Scope Definition
Steps to Develop a Working IRPSteps to Develop a Working IRP
PICERF Lifecycle – Advanced by The SANS Institute
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Preparation• Plan development & periodic test schedule
• Response team education (annual & on‐going)
• Keeping an eye on trends and risks• Plan review & revision (at least annual)
Planning Nuts & Bolts
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Identification• Incident reporting: Who do I tell?• Incident categorization (e.g., IT infrastructure,
natural disaster, theft, loss of mobile devices, etc.)
• Risk categorization• Escalation requirements• Documentation requirements (may not require
escalation – incidents are often not breaches)
Planning Nuts & Bolts
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Identification• If breach of PHI/PII, determine:
• Scope of breach• Type of PHI/PII breached (e.g., name, Social
Security number, etc.)
• If PHI/PII was unsecure• Risk to individuals/”significant harm”
Planning Nuts & Bolts
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Containment/Mitigation• If noticeable breach, initiate notification
process
• Notify individuals• Notify OCR, if required• Notify media if required
• Notify government agencies, if required
Planning Nuts & Bolts
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Containment/Mitigation• Investigation to containment
• Eliminate discovered vulnerability
• Limit damage/shut down affected applications
• Initiate business continuity plan steps• Notify law enforcement
Planning Nuts & Bolts
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Eradication• Isolate affected hardware, software and data• Determine scope of impact following isolation
• Initiate legal/personnel action• Enlist workforce members and third parties to
assess physical/technical environment for potential additional damage
Planning Nuts & Bolts
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Recovery• Restore hardware, software and data• Determine when to return to normal
operations
• If data corruption, restore to previous backup or flag in EHR
• Initiate disaster recovery plan
Planning Nuts & Bolts
Steps to Develop a Working IRPSteps to Develop a Working IRP
• Follow‐up• Debrief and planning• Review of low level incidents periodically• Implement enhanced or new security controls
• Review and amend IRP as necessary
• Review and amend DRP/BCP as necessary
Planning Nuts & Bolts
Testing of Your IRPTesting of Your IRP
• Incomplete planning may result in violation of law, civil suites, damage to patients and harm to the
business/practice• Untested plans may not work as intended when
really needed• Preventable breaches occur• Risks change and cyber crime is on the increase• Ultimately you lose and your customers/patients
lose
Why Should You Test?
Testing of Your IRPTesting of Your IRP
• Plans often rely on key individuals• If not documented and key individuals not available,
successful planning may fail when ultimately tested
• Damage not relegated to just breaches of unsecure data• Corruption of data leading to reliance and adverse outcomes
• Server crash making needed data unavailable at critical moments
• Backup recovery failure and loss of ability to address day‐to‐day
business/clinical responsibilities
• Disasters occur and responses not timely causing business/clinical
harm
Why Should You Document?
Testing of Your IRPTesting of Your IRP
• Identify players –
IT/Business/Clinical
• Develop incident scenario• Schedule IRP table top test and include all team
members
• Identify moderator and scribe
Steps to Test Your IRP
Testing of Your IRPTesting of Your IRP
• Moderator to guide team through triage phase
• Apply IRP tools and resources (internal & external)• Debrief and plan next steps• Evaluate moderator and scribe notes
• Revise IRP
Steps to Test Your IRP
Testing of Your IRPTesting of Your IRP
• Develop recommendations
• Revise IRP• Modify team membership
• Train team members
• Follow up test
Steps to Test Your IRP
Testing of Your IRPTesting of Your IRP
• Develop & document your incident response plan (IRP)
• Designate a Team• Establish your internal and external resources and
tools for your IRP
• Test your IRP and annually review & revise as needed
Summary of Things You Must Do
Tools & Resources for IRPTools & Resources for IRP
• Breach Notification Interim Final Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrativ
e/breachnotificationrule/index.html• NCSL State Breach Notification Laws:
http://www.ncsl.org/issues‐ research/telecom/security‐breach‐notification‐
laws.aspx• US Dept. of Health & Human Services Privacy
Incident Response Policy/Plan: http://www.hhs.gov/ocio/policy/hhs‐ocio‐2010‐
0001.001c.html
Resource Organizations & Documents
Tools & Resources for IRPTools & Resources for IRP
• NIST IRP Planning Guide: http://csrc.nist.gov/publications/drafts/800‐61‐
rev2/draft‐sp800‐61rev2.pdf• NIST IRP Test Guide:
http://csrc.nist.gov/publications/nistpubs/800‐84/SP800‐
84.pdf• University of California Privacy & Data Security IRP:
http://www.ucop.edu/irc/itsec/documents/uc_incidentre
sp_plan.pdf• SANS “The Incident Handlers Handbook”:
http://www.sans.org/reading_room/whitepapers/inciden
t/incident‐handlers‐handbook_33901
Resource Organizations & Documents
Summary and Summary and Q&AQ&A
Chris Apgar, CISSP
CEO & President
