HIMSS14: Build an integrated security incident response team

ORLANDO--More than seven million patient medical records were breached in 2013, which is a 138 percent increase over 2012, according to Brian Evans, principal consultant at Tom Walsh Consulting, who spoke during a session on breach incident response at the Health Information and Management Systems Society annual conference.

“Breaches cost money. If you can manage breaches more effectively, you’ll save money. If you can prevent them from happening, you’ll save even more money,” Evans said.

To best manage security incidents, healthcare organizations can’t think of the problem as an IT issue, he added. Organizations need a cross-discipline team.

Most organizations have people investigate security incidents in an unofficial capacity, said Patricia Pritchett, senior vice president for ambulatory services at University of Alabama at Birmingham Health System (UAB Medicine), so they don’t have documented roles and responsibilities. “Oftentimes, the person doing the investigation is the person who is the manager of the area of concern.”

Pritchett’s organization has had a goal of avoiding a “fragmented investigative and review system.” To achieve that goal, they first established a common goal of creating an approach that would be systematic, redundant and objective, she said. They build a team that treated security incident response as a service line function. “We chose to have a core team but recognized the need for alternative members when the situation creates itself. We have a uniform team and then we are able to deploy additional resources as necessary.”

To create an effective team, Pritchett suggested making decisions such as whether the team will be available around the clock and whether any portion of the effort will be outsourced. Organizations need to assess their employees’ expertise and determine whether outsourcing offers a deeper skillset. “It’s important to have a degree of humbleness about this.”

UAB has an investigation team that investigates the incident and completes the risk assessment form. Then, a review team reviews the findings. “Oftentimes, we concur but we have agreed as a team that we will resolve all issues and not leave anything hanging.”

Evans said employees need to be trained on what an incident looks like. Also, there are several ways to report a security incident and “if you’re not going to centralize then synchronize.” He cited organizations that have several different people who keep their own database of incidents but they don’t match up with each other.

He also recommended establishing an incident analysis hardware and software toolkit and said that most organizations “will benefit in the long run to have some kind of case management product.” That allows for trending and analysis of incidents as well as enhanced ability to respond to any lawsuits. “Any incident can end up in the courtroom so square away all documentation.”

Evans discussed three main elements of investigating and managing incidents: containment, eradication and recovery. Containment refers to limiting the scope of the problem which will vary based on the situation. Eradication refers to the need to mitigate the factors that resulted in the incident. Recovery refers to figuring out how to get in a better position which could include changing passwords, restoring systems and applying patches. “The ultimate goal is to put us in a better position to prevent the same incident from happening again,” said Evans.

Pritchett said UAB Medicine experienced 181 breach investigations in 2013 with 19 reportable breaches. This served as an advantage to her organization’s investigation team because “they get exposure to a broader range of topics than they otherwise would if they were only participating in investigations on certain incidents.”

After any incident, her investigation team holds a “lessons learned” meeting with the goal of building on each instance to create an improved process. They identify what they could have been done differently and what tools or resources they need in place.

Pritchett suggested that healthcare organizations ensure that their incident response procedures are maintained and updated in a current state of readiness. “Review your response and support procedures to ensure they still adequately address business and compliance requirements.”

Breaches are inevitable, she said. “Being prepared is the most cost-effective thing we can do.”