Business Team Investment Entrepreneur Trading Concept
12 key steps in responding to a data breach
Every healthcare organization should have an incident response plan (IRP) in place before it experiences a breach of protected health information. The IRP is the roadmap for what to do in the event of a data breach—it contains the specific steps to take so the organization can quickly respond and then defend itself against any legal actions that might stem from lost or stolen data. In a new report, cloud security vendor ARMOR walks through the process of assembling an incident response team and the steps an IRP should contain to effectively respond to a breach.
May 2018 Slideshow AdobeStock_107877648 A.jpeg
File Folder with Inscription Incident Management on Working Desktop. Incident Management. Illustration on Toned Background. 3D Render.
Assemble the incident response team
Team members can come from inside or outside the organization. Because the team is lined up before a breach, each member will understand his or her responsibilities and the importance of collaboration.
May 2018 Slideshow AdobeStock _887065 B.jpeg
Pick the right combination of talent for the team
The team should include security experts, including a director of the organization’s security operations center; IT managers who understand the data and applications; marketing officers to ensure that the provider’s brand isn’t damaged because of an incident; attorneys specializing in breach remediation; business stakeholders; contractors and other third party vendors; and compliance officers.
May 2018 Slideshow AdobeStock_126461022 C.jpeg
Connection lines Around Earth Globe, Futuristic Technology Theme Background with Light Effect
Preserve artifacts
Because there likely will be a post-breach audit, it is essential to preserve artifacts relating to the event for evidence and attribution. Because much of the data that is collected is time-sensitive and cannot be reproduced, it is critical to collect and preserve it immediately. Artifacts to preserve include time stamps for critical files, network connections, current logins, process lists, memory dumps (files containing a copy of the computer’s memory) and packet captures (intercepting and logging traffic).
May 2018 Slideshow AdobeStock_59176370 D.jpeg
Forensics or Forensic Science as a Concept
Examine artifacts
Artifacts tell the story of the breach, according to ARMOR. Time stamps show when files are accessed and by whom. For example, network connections might show a systems administrator who works during the day was accessing files in the middle of the night.
May 2018 Slideshow AdobeStock_65080993 E.jpeg
Financial advisor explaining investment plan to couple on laptop at office desk
Get expert help
During the period of examining artifacts, experts can make sure time is not wasted by preserving artifacts that are not relevant, and they are knowledgeable of artifacts that must be preserved for a criminal prosecution. The artifacts phase is over when sufficient evidence has proved a breach occurred or when there is no more evidence to gather.
May 2018 Slideshow AdobeStock_99628662 F.jpeg
Check user accounts
A close look at user accounts also can tell a story. Duplicate or old accounts that have been reactivated can pinpoint the source of a breach. Weak passwords or elevated privileges are an indicator of poor policy or dubious activity.
May 2018 Slideshow AdobeStock_196989983 G.jpeg
Study network traffic
Examining network traffic flows and CPU utilization is time well-spent. A CPU, a central processor that carries out instructions of a computer program and is at 90 percent utilization, or a mail server processing unusually large inbound traffic, may indicate a brute-force attack.
May 2018 Slideshow AdobeStock_81223203 H.jpeg
Adhesive bandage plaster to represent damage or pain and a solution. Isolated on a white background with clipping path.
Stop the bleeding
To prevent the exfiltration of data, it may be necessary to shut down one or more applications. When exfiltration of data has stopped, continue monitoring to ensure that efforts are successful before returning to normal operations.
May 2018 Slideshow AdobeStock_125102574 I.jpeg
hand unlocking front door with key, closeup
Close the door
If exfiltration continues, repeat remedial measures and close the door that threat actors used to gain access. Once vulnerability has been shut down, monitor again for continued exfiltration and repeat this step if necessary.
May 2018 Slideshow AdobeStock_125733587 J.jpeg
Return to normal operations
When all exfiltration has ceased with no evidence of continued activity, the organization can return to normal operations—however, some work remains. This includes software patching, re-imaging and manual cleanup activities. Out-of-date code often has dangerous vulnerabilities, so organizations should install all updates so applications are running on the latest version. Manual steps include cleaning up accounts by matching account identities with permissions and enforcing password change and reuse policies.
May 2018 Slideshow AdobeStock_195532177 K.jpeg
Top view of a cup of coffee clock,mobile phone and eyeglasses on wooden background written with TIME TO EVALUATE.
Assess lessons
When the audit is complete, convene the incident response team to recap lessons learned and add to the IRP a list of tasks and procedures designed to prevent a similar breach from reoccurring.
May 2018 Slideshow AdobeStock_87070391 L.jpeg
Group of multi-ethnic business partners discussing ideas
Apply new knowledge
Continue to foster a culture of collaboration between members of the IRP team and the organization as a whole. The IT department should convey the value of security measures to organization leaders , on an ongoing basis, not in technical terms but in understandable explanations of dollar-and-cents risk to the organization.
May 2018 Slideshow AdobeStock_61568304 M.jpeg
Education concept: text Learn More on Black chalkboard background, 3d render
Learn more
More information on ARMOR is available here.