12 key steps in responding to a data breach
Every healthcare organization should have an incident response plan (IRP) in place before it experiences a breach of protected health information. The IRP is the roadmap for what to do in the event of a data breach—it contains the specific steps to take so the organization can quickly respond and then defend itself against any legal actions that might stem from lost or stolen data. In a new report, cloud security vendor ARMOR walks through the process of assembling an incident response team and the steps an IRP should contain to effectively respond to a breach.
Assemble the incident response team
Team members can come from inside or outside the organization. Because the team is lined up before a breach, each member will understand his or her responsibilities and the importance of collaboration.
Pick the right combination of talent for the team
The team should include security experts, including a director of the organization’s security operations center; IT managers who understand the data and applications; marketing officers to ensure that the provider’s brand isn’t damaged because of an incident; attorneys specializing in breach remediation; business stakeholders; contractors and other third party vendors; and compliance officers.
Because there likely will be a post-breach audit, it is essential to preserve artifacts relating to the event for evidence and attribution. Because much of the data that is collected is time-sensitive and cannot be reproduced, it is critical to collect and preserve it immediately. Artifacts to preserve include time stamps for critical files, network connections, current logins, process lists, memory dumps (files containing a copy of the computer’s memory) and packet captures (intercepting and logging traffic).
Artifacts tell the story of the breach, according to ARMOR. Time stamps show when files are accessed and by whom. For example, network connections might show a systems administrator who works during the day was accessing files in the middle of the night.
Get expert help
During the period of examining artifacts, experts can make sure time is not wasted by preserving artifacts that are not relevant, and they are knowledgeable of artifacts that must be preserved for a criminal prosecution. The artifacts phase is over when sufficient evidence has proved a breach occurred or when there is no more evidence to gather.
Check user accounts
A close look at user accounts also can tell a story. Duplicate or old accounts that have been reactivated can pinpoint the source of a breach. Weak passwords or elevated privileges are an indicator of poor policy or dubious activity.
Study network traffic
Examining network traffic flows and CPU utilization is time well-spent. A CPU, a central processor that carries out instructions of a computer program and is at 90 percent utilization, or a mail server processing unusually large inbound traffic, may indicate a brute-force attack.
Stop the bleeding
To prevent the exfiltration of data, it may be necessary to shut down one or more applications. When exfiltration of data has stopped, continue monitoring to ensure that efforts are successful before returning to normal operations.
Close the door
If exfiltration continues, repeat remedial measures and close the door that threat actors used to gain access. Once vulnerability has been shut down, monitor again for continued exfiltration and repeat this step if necessary.
Return to normal operations
When all exfiltration has ceased with no evidence of continued activity, the organization can return to normal operations—however, some work remains. This includes software patching, re-imaging and manual cleanup activities. Out-of-date code often has dangerous vulnerabilities, so organizations should install all updates so applications are running on the latest version. Manual steps include cleaning up accounts by matching account identities with permissions and enforcing password change and reuse policies.
When the audit is complete, convene the incident response team to recap lessons learned and add to the IRP a list of tasks and procedures designed to prevent a similar breach from reoccurring.
Apply new knowledge
Continue to foster a culture of collaboration between members of the IRP team and the organization as a whole. The IT department should convey the value of security measures to organization leaders , on an ongoing basis, not in technical terms but in understandable explanations of dollar-and-cents risk to the organization.