On the Alert: Incident Response Plan for Healthcare 111/13/2017
Presenter Introductions Nadia Fahim-Koster Managing Director, IT Risk Management Meditology Services Kevin Henry Senior Associate, IT Risk Management Meditology Services 2
Session Agenda
Agenda Meditology Overview Requirements behind an incident response program (IRP) Different components of an effective IRP Preparing for your testing exercise Developing meaningful testing scenarios How to conduct and document testing Questions 2017 Meditology Services, LLC. All Rights Reserved
Meditology Overview
Who is Meditology? Focused exclusively on the healthcare industry with a core competence in security, privacy, and HIPAA compliance. An average of 15+ years of combined Big 4 healthcare IT security and compliance leadership experience. Team has directly relevant operational experience as CISO s and Chief Privacy Officers of health systems Conducted hundreds of engagements for healthcare clients across the country ranging in size and complexity from community hospitals to 2000+ bed health systems. Certifications include: CISSP, HCISPP, HITRUST (CCSFP), PMP, CCNA, CPHIMS, CISA, CEH, and CNSS. Worked with clients under OCR investigation, made multiple presentations to OCR, and very knowledgeable about the OCR audit process. Lead architect of the HITRUST Common Security Framework. Advisors to ONC / HHS on healthcare information security, ethical hacking, and medical device security 2016 Meditology Services, LLC. All Rights Reserved
Serving Healthcare Clients Coast to Coast 2016 Meditology Services, LLC. All Rights Reserved
Regulatory Requirements
Requirements behind an Incident Response Program The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to identify and respond to suspected or known security incidents, as well as mitigate to the extent practicable, harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes. Source: Department of Health & Human Services: HIPAA Security Series: Requirement 164.308(a)(6)(i) Response and Reporting. 2016 Meditology Services, LLC. All Rights Reserved
Components of an Effective Incident Response Program (IRP)
Policy The National Institute of Standards and Technology (NIST) recommends that the following elements be included in the IRP policy: Statement of management commitment Purpose and objectives of the policy Scope of the policy Definition of security incidents and related terms Roles, responsibilities, and levels of authority Severity ratings of incidents Performance indicators Reporting and contact forms NIST Special Publication 800-61, Revision 2 Computer Security Incident Handling Guide 2017 Meditology Services, LLC. All Rights Reserved 11
Plan The plan should be tailored to the size, structure, and mission of your organization. NIST recommends that the following elements be part of your IRP plan: Senior management sponsorship and approval Goals and objectives for incident response Organizational structure of the various team members, their resource requirements, and their roles Communication process for internal and external entities Outline of the incident response methods for each classified incident from the policy Metrics for evaluating the effectiveness of the team and process Processes for annual review and evaluation 2017 Meditology Services, LLC. All Rights Reserved 12
Organizational Structure 2017 Meditology Services, LLC. All Rights Reserved 13
Statement of Management Commitment Management commitment and responsibilities include: Program management Program review and updates Development of a review panel or task force if hazards are identified, or for deployment after an event to assist in its review Assisting with training Enforcing disciplinary actions as needed Interaction and assistance with regulatory and response agencies 2017 Meditology Services, LLC. All Rights Reserved 14
Purpose and Objectives Purpose and objectives of the policy: To ensure that information security events, and weaknesses associated with information systems, are handled in a timely manner and allow corrective action to be taken. Governs the actions required for reporting and responding to security incidents involving client information assets. Ensures effective and consistent handling of such events to limit any potential impact to the confidentiality, availability and integrity of client information assets 2017 Meditology Services, LLC. All Rights Reserved 15
Scope Scope of the policy: Applies to all workforce members, users, and all personnel affiliated with third parties who access or use client information assets, regardless of physical location. Also applies to: Information technology administered in individual departments Technology administered centrally Personally-owned computing devices connected by wire or wireless to the client network Off-site computing devices that connect remotely to client network 2017 Meditology Services, LLC. All Rights Reserved 16
Definition of Security Incidents Scope of the policy: Security Incident: a violation, or imminent threat of a violation, of IT or Information Security policies, procedures, acceptable use policies, or standard security practices. Security Incident Response Team (SIRT): a group of individuals set up for the purpose of assisting in responding to security-related incidents. Unauthorized Access/theft: unauthorized access encompasses a range of incidents from improperly logging into a user's account (e.g., when a hacker logs in to a legitimate user's account) or unauthorized usage of logon credentials to obtaining unauthorized access to files and directories possibly by obtaining "super-user" privileges. Virus: self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence. 2017 Meditology Services, LLC. All Rights Reserved 17
Roles and Responsibilities 2017 Meditology Services, LLC. All Rights Reserved 18
Severity Ratings 2017 Meditology Services, LLC. All Rights Reserved 19
Procedures The most common procedures include the following elements: Communication both internal and external to your organization Escalation notification Incident tracking forms Incident reporting and documentation Investigation checklists by technology platform Remediation checklists by risk and threat classification Security information event management (SIEM) Evidence collection and handling chain of custody Forensics investigation and documentation Data retention and destruction Non-disclosure agreements 2017 Meditology Services, LLC. All Rights Reserved 20
Preparing for your Testing Exercise
Testing Preparation A good IRP test requires adequate preparation: Review every component of your IRP including your IRP Policy Assess your procedure documentation for potential improvements and/or changes Identify the different teams listed within the IRP to know who the participants of the exercise will be Determine whether you will involve every member of every team, or just a representative 2017 Meditology Services, LLC. All Rights Reserved 22
Testing Preparation Every role should have 2 tiers (primary and secondary) Roles to include: Internal communications External communications Human Resources Legal Executive Leadership Marketing 2017 Meditology Services, LLC. All Rights Reserved 23
Develop Meaningful Testing Scenarios
Meaningful Scenarios Create the scenarios that will be used during the exercise: Align the scenarios with the incident criticality levels as identified in the IRP plan Create scenarios that align with real-life incidents in the industry Scenarios should test for the effectiveness of your organization s HIPAA Breach Notification plan 2016 Meditology Services, LLC. All Rights Reserved
Low Incident Jessica in HR has been busy interviewing candidates for positions within Client. She mistakenly emailed one of the candidates a document containing employee demographic information. She immediately notifies her manager. What next steps should be taken? 2016 Meditology Services, LLC. All Rights Reserved
Medium Incident Several employees have reported the following email: From: Smith, John [john.smith@clientinc.com] Sent: Friday, July 15, 2014 3:15PM Subject: System Administrator UPDATE YOUR MAIL BOX QUOTA Your mailbox has almost exceeded its storage limit. It will not be able to send or receive emails if exceeded it limit and your email account will be deleted from our servers. To avoid this problem you need to update your mailbox quota. By clicking on the link below and filling your login information for the update. http://owa-team1.webs.com/ If we do not receive a reply from you, your mailbox will be suspended. Thank you for your cooperation 2016 Meditology Services, LLC. All Rights Reserved
Critical Incident: Hacktivist Threat & Attack Receptionist receives a threatening phone call from Pro Life Radicals objecting to <CLIENT> s support of birth control and contraceptives. Pro Life Radicals state, YOU HAVE 7 DAYS TO PUBLICLY MAKE A STATEMENT PLEDGING <CLIENT> WILL NO LONGER PROVIDE ANY CARE THAT DOES NOT ALIGN WITH PRO LIFE IDEALS. <CLIENT> IS NOT TO PROVIDE BIRTH CONTROL, CONTRACEPTIVES, NOR ANY PREGNANCY ENDING PROCEDURES. FAILURE TO COMPLY WILL RESULT IN THE MARRING OF THE <CLIENT> BRAND AND REPUTION, ALONG WITH THE LOSS OF THE CONFIDENTIALITY PROMISED TO YOUR PATIENTS. THIS MESSAGE WILL BE DELIVERED DAILY UNTIL COUNTDOWN EXPIRES. 2016 Meditology Services, LLC. All Rights Reserved
Conduct and Document the Testing
Conducting the Tabletop Exercise Designate a facilitator (akin to a Dungeon and Dragon game master) Facilitator should outline his/her role and responsibilities help participants step through the exercise in an organized manner ensure the active participation of all team members raise difficult questions make certain that the IRP is being followed verify that any identified issues are documented Ask members to introduce themselves and the areas they represent Have several copies of your organization s IRP on hand! 2016 Meditology Services, LLC. All Rights Reserved
Conducting the Tabletop Exercise Describe to the team what your organization intends to accomplish by conducting an IRP tabletop exercise Explain what an example scenario looks like and how you will walk the participants through the incident Describe the role of the scribe(s) Choose to begin with either a low-level incident or a critical-level incident Read the scenario to the team and give them a few minutes to digest the information before proceeding 2016 Meditology Services, LLC. All Rights Reserved
Conducting the Tabletop Exercise Get the team started by asking them some questions such as: How would you handle this incident? Who should the charge nurse notify? Who would be notified next? Be sure teams adhere to the IRP documents During the second scenario, introduce unexpected variables to throw the team off guard and see how they handle new, unexpected information 2016 Meditology Services, LLC. All Rights Reserved
Conducting the Tabletop Exercise HOTWASH: Summarize the events Run through the list of to-dos identified by the team during the exercise Perform a lessons learned session Survey participants: 1. Did you get what you needed? 2. Did everyone in your group participate? 3. What did you learn? 4. What would you change? 2016 Meditology Services, LLC. All Rights Reserved
Documenting the tabletop exercise Writing the report is probably the most difficult part of the tabletop exercise. Ensure the scenarios are described and include all the notes for each scenario, including candid conversations Include takeaways and a to-do list, as well as all associated notes Keep the report handy for the next time you conduct a tabletop exercise, because you will need it to verify that any required updates were made 2016 Meditology Services, LLC. All Rights Reserved
QUESTIONS? 2017 Meditology Services, LLC. All Rights Reserved
Thank you! Nadia Fahim-Koster Managing Director, IT Risk Management Nadia.fahim-koster@meditologyservices.com Kevin Henry Senior Associate IT, Risk Management kevin.henry@meditologyservices.com 2017 Meditology Services, LLC. All Rights Reserved