Providers should assess breach readiness after MedStar hack
With reports from MedStar Health indicating that the system’s computer systems remain down a second day after a cyber attack Monday, providers have a new sense of urgency in ensuring they have firm plans for responding to a breach.
A new 29-page Data Breach Response Guide from Experian helps IT and other healthcare executives put together an enterprisewide plan to prepare for and respond to a breach, and then put the plan into motion when an incident occurs.
Sections in the guide cover communicating with the C-suite; creating a plan; practicing the plan; responding to a breach; auditing the plan; and finding helpful resources. The guide also includes a readiness assessment, containing core questions, to assess whether an organization has plans in place to appropriately respond to a breach.
Response planning: Do you have an internal response team assembled? If you have a preparedness plan in place, have you updated, audited and tested your plan in the last 12 months?
Key partners: Have you identified third-party vendors and signed contracts to engage in the case of a breach? Do you have a relationship with relevant state attorneys general to contact in the case of a breach and ensure you are following state guidelines?
Notification and protection: Have you identified what your breach notification process would look like and have the proper contact lists for employees and patients in place to activate quickly? Have you evaluated identity theft protection services to offer to affected parties if you experience a data breach?
Security planning: Have you taken inventory of the types of information you store that could be exposed during a data breach? Do you have the technologies and processes in place to conduct a thorough forensic investigation into a cyber security incident?
Communications: Have you developed a communications incident response plan, including drafts of key media materials that will be useful during an incident (such as statements and frequently asked questions)? Have you trained your spokespeople and executives specifically on interacting with media in discussing security matters?
Training and awareness: Have you conducted a data breach crisis tabletop exercise or simulation in the last 12 months to test how effectively your company would manage a major incident? Have you conducted employee training to apply security best practices in the last 12 months?