Cybersecurity: Importance of Incident Response in IT Programs
Computer security incident response is a crucial element of an information technology program. It can assist Covered Entities and Business Associates in promptly detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited, protecting the confidentiality, integrity, and availability of data, and restoring IT services back to normal.
Understanding Cybersecurity Incidents and Breaches
HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).
The Growing Need for Cybersecurity Incident Response
According to a recent survey, 43% of respondents lack formal incident response plans and procedures, and 55% lack formal incident response teams. Alarmingly, 61% of these respondents have experienced a data breach in the past two years, which included unauthorized access, denial of service, or malware infection.
Cybersecurity-related attacks have continued to rise and become more destructive and disruptive. In 2014, the average cost to a company suffering a data breach affecting personally identifiable information (PII) was $3.5 million, with an average cost of $145 per individual.
Why Cybersecurity Incident Response Is Critical
With the constant upsurge in security breaches involving cyberattacks, and as required by the HIPAA Security Rule, Covered Entities and Business Associates must establish security incident response capabilities. While effective incident response planning can be complex, it should remain a top priority.
Steps to Establish a Cybersecurity Incident Response Capability
1. Develop Incident Response Policies, Plans, and Procedures
The incident response procedures should be based on the entity’s incident response policy and plan. These procedures outline specific technical processes, tools, techniques, and forms utilized by the incident response team and staff reporting an incident. Key processes include:
- Preparing for incidents
- Detecting and analyzing incidents
- Containing, eradicating, and recovering from incidents
- Conducting post-incident activities and reviews
Incident response policies should be approved by management and reviewed annually. Plans must meet the unique requirements of Covered Entities and Business Associates, considering their mission, size, structure, and functions.
2. Build Communication Plans and Relationships
Building relationships and lines of communication between the incident response team and internal/external groups is vital. Covered Entities and Business Associates should plan these communications before an incident occurs. This includes collaborating with:
- Internal groups such as IT, public affairs, legal, and management
- External parties such as federal agencies, law enforcement, media, ISPs, vendors, and other response teams
3. Staff and Train for Cybersecurity Incident Response
Incident response teams should be staffed with professionals possessing relevant skill sets, such as:
- Network administration
- Programming and technical support
- Intrusion detection
- Cyber security forensic analysis
Additionally, team members must have strong teamwork and communication skills. Regular training ensures readiness for handling incidents effectively.
Cybersecurity Resources for Physicians:
Have questions? I’m here to help.
