On the Alert: Incident Response Plan for Healthcare 111/13/2017

Similar documents
GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

SHRINERS HOSPITALS FOR CHILDREN CORPORATE COMPLIANCE PLAN

HIPAA Compliance and Mistakes:

Preparing for an OCR Audit: What is Expected of You

AWS Life Sciences Competency Consulting Partner Validation Checklist

3 Situations, 2 Lawyers, 1 Corporation, and So Many Features

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

American Well Hosting Operations Guide for AmWell Customers. Version 7.0

GUIDELINES. Corporate Compliance. Kenneth D. Gibbs President & Chief Executive. Martin A. Cammer Senior Vice President & Corporate Compliance Officer

UK SCHOOL TRIPS PRIVACY POLICY

Global Code of Business Conduct and Ethics

Compliance Auditing & Monitoring

Living Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Supplier Security Directives

ClickStaff Orientation Training. Presented to: Contingent Workers Presented by: <Supplier ABC> Version Effective Date: June 20, 2012 Version: 8FINAL

North Shore LIJ Health System, Inc.

Outsourcing and the Need for Supplier Audits

Identity Provider Policy. Identity and Authentication Services (IA Services)

MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING

Metso Code of Conduct

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

Your Guide to the Compliance Process

What is GDPR and Should You Care?

Top 5 Must Do IT Audits

The IT Risk Environment and Data Analytics. Parm Lalli Director, Focal Point Data Risk, LLC

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

PHILADELPHIA COLLEGE OF OSTEOPATHIC MEDICINE POLICIES AND PROCEDUES. Policy and Procedures Index

Delta Dental of Michigan, Ohio, and Indiana. Compliance Plan

Business Continuity Framework

Securing Intel s External Online Presence

Policy 2 Workforce Security Policy and Procedure

Standard Statement and Purpose

Compliance Management Solutions from Novell Insert Presenter's Name (16pt)

Human Research Protection Program Compliance Plan

Sharp HealthCare s 2017 Compliance Education. Compliance and Ethics Module 1

Integrity & Compliance Officer. Trinity Senior Living Communities Livonia, Michigan

Atlas Financial Holdings, Inc. Code of Business Conduct & Ethics

Thank you, Mark Mirelez. VP Supply Chain Management. DynCorp International, LLC

Tampa Bay Information Network TBIN Audit Plan

Vanderbilt University Medical Center

Contents. Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule

Coordinating Security Response and Crisis Management Planning

Operational Level Agreement: SQL Server Database Incidents and Requests

CODE OF BUSINESS CONDUCT PENN NATIONAL GAMING, INC.

Ethical Corporate Management Best Practice Principles of ASPEED Technology

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

Social Media Guidelines: King County 1

This document articulates ethical and behavioral guidance for all NGA Human Resources companies, employees, and business partners (such as suppliers,

Impact. Data Privacy Statement. Outcomes-Based Learning. Introduction

REGULATORY HOT TOPIC Third Party IT Vendor Management

ETHICAL CODE OF CONDUCT

SOX 404 & IT Controls

LB35: Verifying IT and Business Continuity. Lucas G. Aimes & Terry DiVittorio, Project Performance Corporation (PPC)

Security Monitoring Service Description

ESTERLINE ANTI-CORRUPTION PROGRAM CHARTER

A COMPANION DOCUMENT TO THE GDPR READINESS DECISION TREE QUESTIONS AND ANALYSIS. April 19, 2017

Data Privacy Policy for Employees and Employee Candidates in the European Union

CFPB Examination Procedures

Securing Access of Health Information Using Identity Management

REQUEST FOR PROPOSALS: INFORMATION TECHNOLOGY SUPPORT SERVICES

PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

Alameda Countywide. Care Council. Manual

IBM Clinical Trial Management System for Sites

2016 Cost of Data Breach Study: United States

IT Due Diligence in an Era of Mergers and Acquisitions

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Human Resources Security Management towards ISO/IEC 27001:2005 accreditation of an Information Security Management System

ANNEX 2 Security Management Plan

INTRODUCTION. Overview of Compliance Program. I. Leadership and Structure. GSK Ethics & Compliance Program US Operations

2017 Cost of Data Breach Study

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

Compliance Plans. Kelly S. McIntosh July 20, 2017

12.0 Business Continuity Management

Referral Training Exercise 3: Review and Hiring Manager

EU General Data Protection Regulation, a new era in data protection

This position is in the Joint Office of Strategic Planning. This position is for the Medical School Campus.

Compliance Program Effectiveness Guide

Fourth Annual Pharmaceutical Regulatory and Compliance Congress

Maximizing Your Return on Investment with HIPAA Compliance:

GOVERNANCE GUIDELINES OF THE NATIONAL ASSOCIATION OF CORPORATE DIRECTORS

Update on Supply Chain Risk Management [SCRM] Standard

Privacy Incident Response & Reporting: Pre and Post HITECH

China Airlines Ltd. Ethical Corporate Management Best Practice Principles

Navigating the New Health Economy

ESOMAR 28 QUESTIONS COMPANY PROFILE SAMPLE SOURCES AND RECRUITMENT

Brink's Modern Internal Auditing

Standards for Excellence Program Organizational Self-Assessment Checklist

Global Information Assurance Certification Paper

CODE OF ETHICS FOR CHIEF EXECUTIVE OFFICER AND SENIOR FINANCIAL OFFICERS UGI CORPORATION

* SAKURA Rules * (Code of Conduct for the Terumo Group)

Introduction & Welcome

LIFEBRIDGE HEALTH INTEGRITY PROGRAM CODE OF EXCELLENCE

Benchmarking 101: Shaping your E&C Program for Maximum Value

AHIMA Information Governance & The Information Governance Adoption Model (IGAM )

DRIVER ADDENDUM TO SERVICES AGREEMENT. Last update: October 20, 2015

Fulfilling CDM Phase II with Identity Governance and Provisioning

ICHWC Code of Ethics (Updated February 1, 2017)

Transcription:

On the Alert: Incident Response Plan for Healthcare 111/13/2017

Presenter Introductions Nadia Fahim-Koster Managing Director, IT Risk Management Meditology Services Kevin Henry Senior Associate, IT Risk Management Meditology Services 2

Session Agenda

Agenda Meditology Overview Requirements behind an incident response program (IRP) Different components of an effective IRP Preparing for your testing exercise Developing meaningful testing scenarios How to conduct and document testing Questions 2017 Meditology Services, LLC. All Rights Reserved

Meditology Overview

Who is Meditology? Focused exclusively on the healthcare industry with a core competence in security, privacy, and HIPAA compliance. An average of 15+ years of combined Big 4 healthcare IT security and compliance leadership experience. Team has directly relevant operational experience as CISO s and Chief Privacy Officers of health systems Conducted hundreds of engagements for healthcare clients across the country ranging in size and complexity from community hospitals to 2000+ bed health systems. Certifications include: CISSP, HCISPP, HITRUST (CCSFP), PMP, CCNA, CPHIMS, CISA, CEH, and CNSS. Worked with clients under OCR investigation, made multiple presentations to OCR, and very knowledgeable about the OCR audit process. Lead architect of the HITRUST Common Security Framework. Advisors to ONC / HHS on healthcare information security, ethical hacking, and medical device security 2016 Meditology Services, LLC. All Rights Reserved

Serving Healthcare Clients Coast to Coast 2016 Meditology Services, LLC. All Rights Reserved

Regulatory Requirements

Requirements behind an Incident Response Program The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to identify and respond to suspected or known security incidents, as well as mitigate to the extent practicable, harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes. Source: Department of Health & Human Services: HIPAA Security Series: Requirement 164.308(a)(6)(i) Response and Reporting. 2016 Meditology Services, LLC. All Rights Reserved

Components of an Effective Incident Response Program (IRP)

Policy The National Institute of Standards and Technology (NIST) recommends that the following elements be included in the IRP policy: Statement of management commitment Purpose and objectives of the policy Scope of the policy Definition of security incidents and related terms Roles, responsibilities, and levels of authority Severity ratings of incidents Performance indicators Reporting and contact forms NIST Special Publication 800-61, Revision 2 Computer Security Incident Handling Guide 2017 Meditology Services, LLC. All Rights Reserved 11

Plan The plan should be tailored to the size, structure, and mission of your organization. NIST recommends that the following elements be part of your IRP plan: Senior management sponsorship and approval Goals and objectives for incident response Organizational structure of the various team members, their resource requirements, and their roles Communication process for internal and external entities Outline of the incident response methods for each classified incident from the policy Metrics for evaluating the effectiveness of the team and process Processes for annual review and evaluation 2017 Meditology Services, LLC. All Rights Reserved 12

Organizational Structure 2017 Meditology Services, LLC. All Rights Reserved 13

Statement of Management Commitment Management commitment and responsibilities include: Program management Program review and updates Development of a review panel or task force if hazards are identified, or for deployment after an event to assist in its review Assisting with training Enforcing disciplinary actions as needed Interaction and assistance with regulatory and response agencies 2017 Meditology Services, LLC. All Rights Reserved 14

Purpose and Objectives Purpose and objectives of the policy: To ensure that information security events, and weaknesses associated with information systems, are handled in a timely manner and allow corrective action to be taken. Governs the actions required for reporting and responding to security incidents involving client information assets. Ensures effective and consistent handling of such events to limit any potential impact to the confidentiality, availability and integrity of client information assets 2017 Meditology Services, LLC. All Rights Reserved 15

Scope Scope of the policy: Applies to all workforce members, users, and all personnel affiliated with third parties who access or use client information assets, regardless of physical location. Also applies to: Information technology administered in individual departments Technology administered centrally Personally-owned computing devices connected by wire or wireless to the client network Off-site computing devices that connect remotely to client network 2017 Meditology Services, LLC. All Rights Reserved 16

Definition of Security Incidents Scope of the policy: Security Incident: a violation, or imminent threat of a violation, of IT or Information Security policies, procedures, acceptable use policies, or standard security practices. Security Incident Response Team (SIRT): a group of individuals set up for the purpose of assisting in responding to security-related incidents. Unauthorized Access/theft: unauthorized access encompasses a range of incidents from improperly logging into a user's account (e.g., when a hacker logs in to a legitimate user's account) or unauthorized usage of logon credentials to obtaining unauthorized access to files and directories possibly by obtaining "super-user" privileges. Virus: self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence. 2017 Meditology Services, LLC. All Rights Reserved 17

Roles and Responsibilities 2017 Meditology Services, LLC. All Rights Reserved 18

Severity Ratings 2017 Meditology Services, LLC. All Rights Reserved 19

Procedures The most common procedures include the following elements: Communication both internal and external to your organization Escalation notification Incident tracking forms Incident reporting and documentation Investigation checklists by technology platform Remediation checklists by risk and threat classification Security information event management (SIEM) Evidence collection and handling chain of custody Forensics investigation and documentation Data retention and destruction Non-disclosure agreements 2017 Meditology Services, LLC. All Rights Reserved 20

Preparing for your Testing Exercise

Testing Preparation A good IRP test requires adequate preparation: Review every component of your IRP including your IRP Policy Assess your procedure documentation for potential improvements and/or changes Identify the different teams listed within the IRP to know who the participants of the exercise will be Determine whether you will involve every member of every team, or just a representative 2017 Meditology Services, LLC. All Rights Reserved 22

Testing Preparation Every role should have 2 tiers (primary and secondary) Roles to include: Internal communications External communications Human Resources Legal Executive Leadership Marketing 2017 Meditology Services, LLC. All Rights Reserved 23

Develop Meaningful Testing Scenarios

Meaningful Scenarios Create the scenarios that will be used during the exercise: Align the scenarios with the incident criticality levels as identified in the IRP plan Create scenarios that align with real-life incidents in the industry Scenarios should test for the effectiveness of your organization s HIPAA Breach Notification plan 2016 Meditology Services, LLC. All Rights Reserved

Low Incident Jessica in HR has been busy interviewing candidates for positions within Client. She mistakenly emailed one of the candidates a document containing employee demographic information. She immediately notifies her manager. What next steps should be taken? 2016 Meditology Services, LLC. All Rights Reserved

Medium Incident Several employees have reported the following email: From: Smith, John [john.smith@clientinc.com] Sent: Friday, July 15, 2014 3:15PM Subject: System Administrator UPDATE YOUR MAIL BOX QUOTA Your mailbox has almost exceeded its storage limit. It will not be able to send or receive emails if exceeded it limit and your email account will be deleted from our servers. To avoid this problem you need to update your mailbox quota. By clicking on the link below and filling your login information for the update. http://owa-team1.webs.com/ If we do not receive a reply from you, your mailbox will be suspended. Thank you for your cooperation 2016 Meditology Services, LLC. All Rights Reserved

Critical Incident: Hacktivist Threat & Attack Receptionist receives a threatening phone call from Pro Life Radicals objecting to <CLIENT> s support of birth control and contraceptives. Pro Life Radicals state, YOU HAVE 7 DAYS TO PUBLICLY MAKE A STATEMENT PLEDGING <CLIENT> WILL NO LONGER PROVIDE ANY CARE THAT DOES NOT ALIGN WITH PRO LIFE IDEALS. <CLIENT> IS NOT TO PROVIDE BIRTH CONTROL, CONTRACEPTIVES, NOR ANY PREGNANCY ENDING PROCEDURES. FAILURE TO COMPLY WILL RESULT IN THE MARRING OF THE <CLIENT> BRAND AND REPUTION, ALONG WITH THE LOSS OF THE CONFIDENTIALITY PROMISED TO YOUR PATIENTS. THIS MESSAGE WILL BE DELIVERED DAILY UNTIL COUNTDOWN EXPIRES. 2016 Meditology Services, LLC. All Rights Reserved

Conduct and Document the Testing

Conducting the Tabletop Exercise Designate a facilitator (akin to a Dungeon and Dragon game master) Facilitator should outline his/her role and responsibilities help participants step through the exercise in an organized manner ensure the active participation of all team members raise difficult questions make certain that the IRP is being followed verify that any identified issues are documented Ask members to introduce themselves and the areas they represent Have several copies of your organization s IRP on hand! 2016 Meditology Services, LLC. All Rights Reserved

Conducting the Tabletop Exercise Describe to the team what your organization intends to accomplish by conducting an IRP tabletop exercise Explain what an example scenario looks like and how you will walk the participants through the incident Describe the role of the scribe(s) Choose to begin with either a low-level incident or a critical-level incident Read the scenario to the team and give them a few minutes to digest the information before proceeding 2016 Meditology Services, LLC. All Rights Reserved

Conducting the Tabletop Exercise Get the team started by asking them some questions such as: How would you handle this incident? Who should the charge nurse notify? Who would be notified next? Be sure teams adhere to the IRP documents During the second scenario, introduce unexpected variables to throw the team off guard and see how they handle new, unexpected information 2016 Meditology Services, LLC. All Rights Reserved

Conducting the Tabletop Exercise HOTWASH: Summarize the events Run through the list of to-dos identified by the team during the exercise Perform a lessons learned session Survey participants: 1. Did you get what you needed? 2. Did everyone in your group participate? 3. What did you learn? 4. What would you change? 2016 Meditology Services, LLC. All Rights Reserved

Documenting the tabletop exercise Writing the report is probably the most difficult part of the tabletop exercise. Ensure the scenarios are described and include all the notes for each scenario, including candid conversations Include takeaways and a to-do list, as well as all associated notes Keep the report handy for the next time you conduct a tabletop exercise, because you will need it to verify that any required updates were made 2016 Meditology Services, LLC. All Rights Reserved

QUESTIONS? 2017 Meditology Services, LLC. All Rights Reserved

Thank you! Nadia Fahim-Koster Managing Director, IT Risk Management Nadia.fahim-koster@meditologyservices.com Kevin Henry Senior Associate IT, Risk Management kevin.henry@meditologyservices.com 2017 Meditology Services, LLC. All Rights Reserved

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback