A Breach Response plan is a required element of your compliance program since HITECH became effective. Everyone must have a written plan and know what needs to be done.
NIST National Institute of Standards and Technology
APDerm Resolution Agreement See item 2(2)
Establishing an incident response capability should include the following actions:
- Creating an incident response policy and plan
- Written required – already had an OCR resolution that mentioned not having one (APDerm – $150,000)
- Developing procedures for performing incident handling and reporting
- Who is your “go to” team for forensics
- Setting guidelines for communicating with outside parties regarding incidents
- PR will be critical for reputation managment
- Selecting a team structure and staffing model
- Someone has to be in charge of the whole thing and then others in charge of the parts.
- Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
- Bigger organizations need to know who is responsible for talking with each department.
- Determining what services the incident response team should provide
- How far is the team going through the process? Will they pass off follow up or will they do all the activity required from beginning to end. Again, large organizations need to worry about this.
- Staffing and training the incident response team
- Make a written list and have the team meet regularly to review how to respond to any incident that may come up in the organization.