eleventh national hipaa summit 5.04 security incident response – what to do if a breach occurs and...
TRANSCRIPT
![Page 1: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/1.jpg)
Eleventh National HIPAA Summit
5.04 Security Incident Response – What to do if a breach occurs and
how to mitigate damages
Chris Apgar, CISSP
![Page 2: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/2.jpg)
Overview
Background
Establishing a security incident response team
Forensics or how to investigate a breach
Follow up or how to mitigate damages
Summary & resources
![Page 3: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/3.jpg)
Background
HIPAA requirements
Establishing policies and procedures
Importance of documentation
Mitigation of legal and regulatory risks
Sound security practices
![Page 4: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/4.jpg)
Establishing a Security Incident Response Team
What is a security response team?
Designing the program
Corporate buy in
Determining size of team based on policy and process requirements
Establishing the team
![Page 5: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/5.jpg)
Establishing a Security Incident Response Team
Establishing a chain of command
Supporting policies and procedures
Designating a team lead
Responsibilities of the team and team lead
Training the team
![Page 6: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/6.jpg)
Establishing a Security Incident Response Team
Establishing a support structure in the organization
Mapping out process and external resources
What external resources may be needed?
Relation to disaster recovery plan
![Page 7: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/7.jpg)
Forensics or How to Investigate a Breach
Stop any further breach
Solving the “crime”
Importance of creating an evidence trail
Importance of creating un-impeachable evidence
![Page 8: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/8.jpg)
Forensics or How to Investigate a Breach
Investigating the breach
Duties of the incident response team
Establishing a command center
Determining type of breach
Determining if truly a breach or a malfunction of software/hardware
![Page 9: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/9.jpg)
Forensics or How to Investigate a Breach
Tracing the breach to its source
Internal versus external breach – hacker versus employee
Actions to be taken based on source of breach
Regulatory requirements in some states
![Page 10: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/10.jpg)
Forensics or How to Investigate a Breach
A word about investigations
Treat a breach as if you were a detective
If criminal activity is present following proper forensic procedures is extremely important
When is it necessary to call in the police, FBI, etc.?
![Page 11: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/11.jpg)
Forensics or How to Investigate a Breach
Use of external organizations to conduct investigationsAdvantages of external resources to smaller organizationsUse of external resources does not mean it replaces at least a small incident response teamBest to contract in advance of any incident
![Page 12: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/12.jpg)
Follow Up or How to Mitigate Damages
A word about mitigating damagesImportance of proper backup and recovery processesDon’t forget proper forensics – keep a copy of the data in question before restoring safeguards, data, etc.Coordinate with incident response team
![Page 13: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/13.jpg)
Follow Up or How to Mitigate Damages
Fast action results in lower mitigation requirementsAssess damage to data, hardware, softwareCoordinate with appropriate organizational representatives but keep the list shortDetermine if privacy breach also occurred
![Page 14: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/14.jpg)
Follow Up or How to Mitigate Damages
Determine whether to notify members or patients of any privacy breach
Be aware of state reporting requirements (especially California)
Avoiding adverse publicity
Proactively responding if adverse publicity occurs
![Page 15: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/15.jpg)
Follow Up or How to Mitigate Damages
Limiting litigation or legal risk
Limiting regulatory risk
Why or why not report incidents to the authorities
Internal versus external exposure
![Page 16: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/16.jpg)
Follow Up or How to Mitigate Damages
Internal versus external perpetrator
Involving Human Resources
Sanctions – consistency a must
Determining the audience – who should I tell?
Steps to limit future threat of similar nature
![Page 17: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/17.jpg)
Follow Up or How to Mitigate Damages
No requirement to report breach to OCR or CMS but state laws may require reporting
What if CMS or OCR investigates?
Importance of policies and procedures
Check your contracts – do they require any specific reporting and when
Returning to normal
![Page 18: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/18.jpg)
Summary
Establish incident response team before incidents occurThe importance of forensics Importance of consistency and limiting exposureFast reaction limits damages and mitigation costsBeware of regulatory, legal and public exposure
![Page 19: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/19.jpg)
ReferencesNIST Special Publication 800-61: http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf SANS: http://www.sans.org
ISSA: http://www.issa.orgWEDI: http://www.wedi.org/snip
![Page 20: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/20.jpg)
ReferencesHandbook for Computer Security Incident Response Teams (Carnegie Mellon): http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html FCC Computer Security Incident Response Guide: http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf ISS Computer Security Incident Response Planning: http://documents.iss.net/whitepapers/csirplanning.pdf
![Page 21: Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP](https://reader030.vdocuments.us/reader030/viewer/2022012400/56649f315503460f94c4c584/html5/thumbnails/21.jpg)
Q&A
Chris Apgar, CISSPPresident
Apgar & Associates, LLC10730 SW 62nd PlacePortland, OR 97219
(503) 977-9432 (voice)(503) 816-8555 (mobile)
[email protected]://www.apgarandassoc.com