Web Exclusive

Ensure a Solid Incident Response Plan to Effectively Manage Breaches
By Lisa A. Eramo

Organizations should devise an incident response plan that addresses not only protected health information (PHI) but also personally identifiable information (PII), says Ali Pabrai, CISSP, CSCS, CEO of ecfirst, Inc. That’s because state regulations typically don’t distinguish between health information and PII, he says.

This plan should include four phases, which are outlined in the Guide to Protecting the Confidentiality of Personally Identifiable Information, published by the National Institute of Standards and Technology (available at http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf). These phases include preparation; detection and analysis; containment, eradication, and recovery; and postincident activity.

During the preparation phase, ask these questions:

• What are the organization’s policies and procedures for breach notification?

• What type of training and awareness programs will the organization provide to employees regarding those policies and procedures? Training should simulate an incident and test whether the response plan is effective. It should also inform employees of the consequences of their actions for inappropriately using PII.

• How will employees report suspected or known incidents of breaches? Methods could include a phone hotline, e-mail, an online form, or a specific management reporting structure that identifies a contact person.

• Do employees know what constitutes a breach? For example, accidental disclosures do not constitute breaches.

• What information will an employee who suspects or knows of a breach need to report? For example, the employee may need to provide the date and the time the incident was discovered, a description of the information lost or compromised, and the number of individuals potentially affected.

During the detection and analysis phase, ask these questions:

• How will the organization discover a breach?

• What security controls can the organization use to better detect and prevent breaches? For example, solutions may include the expanded use of encryption, identity and access management solutions, data loss prevention solutions, endpoint security solutions, and intrusion detection and prevention.

During the containment, eradication, and recovery phase, ask these questions:

• How will the organization identify and immediately stop the source of the breach?

• What is the process for media sanitization when PII must be deleted from media during recovery?

• How will the organization review the system or data that were compromised? This may involve using computer forensic techniques to ensure the preservation of evidence and identify electronic information that was compromised.

• How will the organization identify and sequester pertinent medical records, files, and other documents (paper and electronic)?

During the postincident activity phase, ask these questions:

• What did the organization learn from the breach?

• What, if any, additional training, security controls, or procedures are necessary to protect against future incidents?

— Lisa A. Eramo is a freelance writer and editor in Cranston, R.I., who specializes in healthcare regulatory topics, HIM, and medical coding.