.st0{fill:#FFFFFF;}

9 Incident Response Procedures – Ep 381 

 November 11, 2022

By  Donna Grindle

incident response planWhat is your Incident Response Plan? If you said “Oh, we’ll just call IT,” then you need to listen to this podcast. We will review the October 2022 OCR Newsletter that discusses nine procedures that entities should consider including in the incident procedures.

A 5 star review is all we ask from our listeners.
1x
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

9 Incident Response Procedures – Ep 381

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!


HIPAA Say What!?!

[03:07]

“Ding Dong” — FTC-Drizly Data Breach Settlement Will follow CEO Personally for a Decade | Mintz

Say what? The very first paragraph reads:

The Federal Trade Commission (“FTC”) announced on Monday that it is settling a case against Drizly and its CEO stemming from a 2020 data breach that impacted roughly 2.5 million consumers. The proposed order not only contains a laundry list of security-related obligations for Drizly that span twenty years, but also names and targets its CEO James Cory Rellas personally, hitting him with obligations that will follow him for a decade, even if he moves to other organizations. There are also hints that the FTC intends to elevate information security issues to boards of directors and other top-level executives.

Wow! The article goes on to list the information security issues from the FTC complaint. I want to point out that these issues are required under HIPAA as well. Basically the FTC has put Drizly on a 20 year CAP. And you thought a 2 year CAP by OCR was outrageous.

9 Incident Response Procedures

[09:29]

October 2022 OCR Cybersecurity Newsletter

Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.

The newsletter includes a lot of information explaining the importance and regulations requiring entities to have incident response plans. The section we feature in this episode discusses all the procedures that entities “should consider including” in the incident procedures. That part comes after they point out that you need to stop the attack and neutralize the attack first and foremost in your plan. While many assume that is what an incident plan would be, they are missing a bunch of other things needed. So here are the 9 procedures identified by OCR that you should “consider” wink, wink.

Responding to security incidents

Important steps to ensure that the threat is neutralized include: determining the nature and extent of the damage caused by the security incident; identifying and removing any malicious code and components that the security incident may have left behind; and mitigating any vulnerabilities that may have permitted the security incident to occur. Collecting and preserving data relevant to investigating the security incident, such as log files, registry keys, and other artifacts, should also be part of security incident response activities. October 2022 OCR Cybersecurity Newsletter
[14:02] To be better prepared to respond to security incidents, regulated entities “should consider including the following as part of their security incident procedures”:

  1. Designating appropriate personnel (qualified internal resources and/or external third parties) to be members of the security incident response team
  2. A communication plan and contact information for notifying all members of the security incident response team, and others as required (e.g., management) when a security incident occurs
  3. Processes to identify and determine the scope of security incidents
  4. Instructions for managing the security incident
  5. Creating and maintaining a list of assets (computer systems and data) to prioritize when responding to a security incident
[28:54]
  1. Conducting a forensic analysis to identify the extent and magnitude of the security incident
  2. Reporting the security incident to appropriate internal and external entities (e.g., the regulated entity’s IT and legal departments, local FBI Cyber Task Force Field Office, federal and state regulatory authorities, and other individuals or entities as required)
  3. Processes for collecting and maintaining evidence of the security incident (e.g., log files, registry keys, and other artifacts) to determine what was accessed during the security incident
  4. Processes for conducting regular tests of the security incident response process
While each security incident has its own set of facts that require a well-tailored response, regulated entities should develop a process for security incidents that commonly occur. For example, a regulated entity might have a specific process for responding to a ransomware attack and other processes for responding to insider malicious activity, cyber-attacks from hackers, and phishing attacks. Specific processes addressing common types of security incidents can improve workforce members’ understanding of what to do and the regulated entity’s speed in responding to these security incidents. October 2022 OCR Cybersecurity Newsletter

So, that is their list of things to consider. We know what that means.

Here’s the thing is, you don’t know what you don’t know. Creating an incident response plan may seem complicated, but you have to start somewhere. Start with creating your team and then go through the list we reviewed, start documenting, create plans and then work to keep them up to date.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: