Business Team Investment Entrepreneur Trading Concept
12 key steps in responding to a data breach
Every healthcare organization should have an incident response plan (IRP) in place before it experiences a breach of protected health information. The IRP is the roadmap for what to do in the event of a data breach—it contains the specific steps to take so the organization can quickly respond and then defend itself against any legal actions that might stem from lost or stolen data. In a new report, cloud security vendor ARMOR walks through the process of assembling an incident response team and the steps an IRP should contain to effectively respond to a breach.
File Folder with Inscription Incident Management on Working Desktop. Incident Management. Illustration on Toned Background. 3D Render.
Tashatuvango/tashatuvango - stock.adobe.com
Assemble the incident response team
Team members can come from inside or outside the organization. Because the team is lined up before a breach, each member will understand his or her responsibilities and the importance of collaboration.
Kelly Young - stock.adobe.com
Pick the right combination of talent for the team
The team should include security experts, including a director of the organization’s security operations center; IT managers who understand the data and applications; marketing officers to ensure that the provider’s brand isn’t damaged because of an incident; attorneys specializing in breach remediation; business stakeholders; contractors and other third party vendors; and compliance officers.
Connection lines Around Earth Globe, Futuristic Technology Theme Background with Light Effect
spainter_vfx - stock.adobe.com
Because there likely will be a post-breach audit, it is essential to preserve artifacts relating to the event for evidence and attribution. Because much of the data that is collected is time-sensitive and cannot be reproduced, it is critical to collect and preserve it immediately. Artifacts to preserve include time stamps for critical files, network connections, current logins, process lists, memory dumps (files containing a copy of the computer’s memory) and packet captures (intercepting and logging traffic).
Forensics or Forensic Science as a Concept
kentoh - stock.adobe.com
Artifacts tell the story of the breach, according to ARMOR. Time stamps show when files are accessed and by whom. For example, network connections might show a systems administrator who works during the day was accessing files in the middle of the night.
Financial advisor explaining investment plan to couple on laptop at office desk
During the period of examining artifacts, experts can make sure time is not wasted by preserving artifacts that are not relevant, and they are knowledgeable of artifacts that must be preserved for a criminal prosecution. The artifacts phase is over when sufficient evidence has proved a breach occurred or when there is no more evidence to gather.
industrieblick - stock.adobe.com
Check user accounts
A close look at user accounts also can tell a story. Duplicate or old accounts that have been reactivated can pinpoint the source of a breach. Weak passwords or elevated privileges are an indicator of poor policy or dubious activity.
THINK b - stock.adobe.com
Study network traffic
Examining network traffic flows and CPU utilization is time well-spent. A CPU, a central processor that carries out instructions of a computer program and is at 90 percent utilization, or a mail server processing unusually large inbound traffic, may indicate a brute-force attack.
Adhesive bandage plaster to represent damage or pain and a solution. Isolated on a white background with clipping path.
Alex Stokes - stock.adobe.com
Stop the bleeding
To prevent the exfiltration of data, it may be necessary to shut down one or more applications. When exfiltration of data has stopped, continue monitoring to ensure that efforts are successful before returning to normal operations.
hand unlocking front door with key, closeup
rodimovpavel - stock.adobe.com
Close the door
If exfiltration continues, repeat remedial measures and close the door that threat actors used to gain access. Once vulnerability has been shut down, monitor again for continued exfiltration and repeat this step if necessary.
gustavofrazao - stock.adobe.com
Return to normal operations
When all exfiltration has ceased with no evidence of continued activity, the organization can return to normal operations—however, some work remains. This includes software patching, re-imaging and manual cleanup activities. Out-of-date code often has dangerous vulnerabilities, so organizations should install all updates so applications are running on the latest version. Manual steps include cleaning up accounts by matching account identities with permissions and enforcing password change and reuse policies.
Top view of a cup of coffee clock,mobile phone and eyeglasses on wooden background written with TIME TO EVALUATE.
MohamadFaizal - stock.adobe.com
When the audit is complete, convene the incident response team to recap lessons learned and add to the IRP a list of tasks and procedures designed to prevent a similar breach from reoccurring.
Group of multi-ethnic business partners discussing ideas
/pressmaster - stock.adobe.com
Apply new knowledge
Continue to foster a culture of collaboration between members of the IRP team and the organization as a whole. The IT department should convey the value of security measures to organization leaders , on an ongoing basis, not in technical terms but in understandable explanations of dollar-and-cents risk to the organization.
Education concept: text Learn More on Black chalkboard background, 3d render