.st0{fill:#FFFFFF;}

Podcast

7 Ways To Screw Up Incident Response – Ep 338 

 January 14, 2022

By  Donna Grindle

Share0
Tweet0
Share0

A proper incident response plan is one that details your response to a data breach, cyber attack or other event. Without a proper plan, things can go horribly awry. In this episode, we discuss the steps to properly respond to a security incident and then give you seven ways you can completely screw it up.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

7 Ways To Screw Up Incident Response – Ep 338

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The HIPAA Boot Camp

2-22-22 thru 2-24-22

Sign up NOW!

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

More details coming soon…

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[02:36] When there is a breach of PHI, you must notify patients within 60 days of discovery. If you aren’t reasonably sure that the CIA of the data was not compromised, you must notify. The way you determine that is by doing an investigation. In very general terms, these are the 7 steps you would follow to properly respond to an incident.

  1. Possible a data breach has occurred – initiate incident response plan.
  2. Preserve evidence and begin investigations.
  3. Once evidence has been captured properly, restore, rebuild, etc to start your recovery.
  4. Forensics reports will supply information needed for a breach of security to determine reasonable assurances have been met.
  5. If it is not reasonable to believe that no PHI was breached, then notifications are required. Begin the process of identifying patients to notify based on forensics information about the activity of intruders.
  6. If notifications are required, provide appropriate notifications to patients within 60 days of discovery of the incident. The number of patients involved determines when you have to notify HHS and if you have to notify the media. Remember that this must be done within 60 days of discovery. Notify HHS once you feel there may be a notification to patients required. Report less than 500, if you need to, and amend it once all patients are identified.
  7. Do a complete review of what occurred and your response. Make appropriate changes to your policies, procedures and incident response plan.

7 Ways To Screw Up Incident Response

[09:55] Now, let’s go through a real world case and review exactly how a company screwed all of those steps up. Bansley & Kiener, an accounting firm in Chicago, had a ransomware attack in December 2020.

The review of what we currently know about the data breach from the firm’s notice on their website: Data Security Incident Notice – Bansley & Kiener.

Based on a few things we can take from the notice, Bansley & Kiner is a BA that absolutely did not do things correctly:

  1. A ransomware attack occurred on Dec 10, 2020 and they nuked and paved.
  2. Went back to business as usual with no further investigation which wipes out any chance to gather evidence of the compromise not destroyed in nuke and pave.
  3. They told no one that anything has happened and keep working as normal. This is an accounting firm that was hit in December. December is always hectic in an accounting firm. Closing out the year and dealing with the holidays AND dealing with the COVID-19 surge was not a good time for any of us but certainly wasn’t a great time for an accounting firm. Adding a ransomware attack would have been very stressful. However, that does not remove the responsibility to handle the attack appropriately according to the law and to protect the individuals who may be impacted by the attack.
  4. Did zero investigation of what happened and made no changes to your business practices, security policies and technology.
  5. Bansley & Kiner was notified on May 24, 2021 that data had been exfiltrated, but they made no effort to notify HHS nor any patients or the press at that time. If you think you just don’t need to notify, make note of this because it will come back these days. The FBI is out there searching for attackers and the data being shared on the dark web.
  6. Hired someone to investigate even though all evidence was destroyed. They may have had problems finding someone that would try. And even then, it would have taken weeks to search for possible evidence before trying to evaluate it. Forensics takes a long time to do. But not as long as they took in this case. There is definitely more information to be discovered on what happened during this time frame. The notification says “on August 24, 2021, the investigation confirmed that the information present on our systems at the time of the incident included names and Social Security numbers.”
  7. Made their notifications almost 1 year to the day of the attack occurring. They pushed out the notice on Friday, Dec 3, 2021. When they come out on a Friday afternoon, you know it is a bad one. If you are a victim who has done everything you are supposed to do, then you want the notice to go out at a time that does not result in a massive number of phone calls on Monday morning.
[26:43] We know the OCR investigation has already started with a notice that old coming in on the breach portal. By Dec 17, they had a class action suit filed against them including a list of things they did wrong. Oh wait, it probably covers most of what we covered here.

Accounting Firm Bansley & Kiener Hit with Class Action Over 2020 Ransomware Attack

Bansley and Kiener CPA firm sued over delayed breach notification, data theft

When you experience a ransomware attack, there is a high likelihood that the intruders have been inside your network for a long time and on their way out they launch the ransom notice. Typically, they start with reconnaissance to learn how your network is configured. Then, they build scripts using that information to be able to launch their attack quickly and pull data off systems. Then, they set the place on fire by delivering the ransom notice to users/computers.

Let’s be clear: When your systems or data has been encrypted by an intruder, that is a defining characteristic of a ransomware attack. With the upsurge in these kinds of attacks, everyone should have an incident response plan that includes the proper steps to respond to such an attack.

Go to top

We’ve said several times before that the cost to implement security measures to try to prevent a ransomware or other malicious attack and to respond properly to an attack, if one does occur, is far less than what it’s going to be if the proper steps were not followed. Because when it goes bad, it goes really bad.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: