[BreachExchange] Best Practices for Incident Response Plans

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 9 19:21:48 EDT 2017


Data breaches cost companies an average of $221 per compromised record.
Heavily-regulated industries, like healthcare, tend to have per capita data
breach costs substantially higher than the overall mean. In fact, according
to an American National Standards Institute (ANSI) survey of institutions
who experienced a reported breach, healthcare breaches can cost $8,000 to
$300,000, in addition to any U.S. Department of Health and Human Services’
Office for Civil Rights (OCR) penalty or settlement.

Healthcare data contains a wide range of identifying information, including
social security numbers, birthdates and home addresses. This makes health
information very valuable, necessitating effective breach prevention and
incident response plans. Here are five best practices.

Create a Patient Data Protection Committee
Everyone involved in protecting Protected Health Information (PHI) at a
healthcare organization must communicate with each other regularly.
Creating a patient data protection committee will facilitate this
communication. This committee should conduct some privacy functions for the
organization, like overseeing patient privacy and security programs,
performing quarterly risk analyses and assessments, and reviewing policies
and procedures annually.

Provide On-Going Education and Training
Many breaches are caused by unintentional employee actions during the
normal Release of Information (ROI) process. Unfamiliarity with proper
policies and procedures for the use and disclosure of health information is
frequently to blame. With this in mind, fostering a culture of compliance
is key to stopping these breaches.

As part of this culture of compliance, workforce members should undergo
formal training at least once a year.

Utilizing technology to strengthen compliance is a must. Electronic PHI
(ePHI) should always be encrypted before distribution, fortifying the data
against breach.

Test the Effectiveness of Compliance Program
Keep your compliance program current by performing regular effectiveness
tests. Mock breach exercises and the use of fake phishing emails are great
ways to keep employees up to date on compliance.

Assess BA Compliance
It is important that Business Associates (BAs) are compliant. Conducting
regular due diligence and periodic vendor audits will ensure BA compliance.
Make sure Business Associate Agreements (BAAs) are in place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170509/0036c1f4/attachment.html>

More information about the BreachExchange mailing list