Infosec Incident Response Planning in the healthcare delivery system

In the evolving world of information digitization and migration to mobile devices, especially in the health care sector, health and medical records are attractively becoming target for cybercriminals. According to Barbara Filkins (sans.org. 2014) medical, health, and financial records are critically being targeted by cybercriminals because of their profitability. She reported in her survey that “the growing presence of online personal information, consumer-facing mobile apps, and new methods of accessing and transferring medical data are increasingly putting sensitive protected data at risk. Ultimately, the trend of pushing sensitive data outside an organization’s protected environment via cloud computing, mobile identity and access, and the Internet of (Care) Things such as medical devices that are also subject to regulatory compliance

demands that security be pushed closer to the actual data.”

For an effective and efficient incident response planning (IRP) requires a Business Impact Analysis (BIA) to identify the critical resources that actual incident occurrence would affect. That also looks into the weaknesses of “current data breach detection solutions, (infosec) training and awareness and the negligent insider as the chief threat” (Barbara Filkins. 2014). These resource areas range from “Hospitals, Health care delivery system/Health care network, Ambulatory/Outpatients provider, and Clinic, Health plan/payer (insured), Ancillary service provider (laboratory/radiology), Pharmacy/PBM, Health information organization (HIO) and exchange, Public Health Department, Clearinghouse and Critical access or rural hospitals” (Barbara Filkins. 2014). The medical and health information assets that are considered most at risk as Barbra identified, include, but not limited to, “Electronic medical record (EMR)/Electronic health record (EHR), Personal health record (PHR), Patient portals, Supporting infrastructure (underlying middleware, network as a whole), Corporate assets/Intellectual property, Point-of-sales systems, Clinical automation systems (biomedical systems, pharmacy robots), Major clinical applications (ancillary services, laboratory, radiology, pharmacy), Health information exchange (HIE), Mobile medical device applications for workforce ( including contractors), Enterprise data management systems (master person index, provider directory), Mobile applications delivered directly to consumers, Health insurance exchange (HIE), Practice management/Billing systems and Telemidicine/Telehealth capabilities and support systems” ” (Barbara Filkins. 2014).

Incident Response Planning (IRP) and timely recovery in health care delivery system would include: “assess the teams ability to detect, respond to and contain threats” or actual occurrences; Ensure “the organizational incident response (IR) strategy is consistent with organizational security policy; Grant sufficient authority to the IR team to take specified actions; Define roles and responsibilities of the IR team and parties participating in the response process: Establish a list of prioritized information assets and services, as well as acceptable downtime; Develop and communicate procedures for reporting, escalation and other needed activities: Test the IR processes (and make necessary changes); Educate the team on emerging threats and train members to handle both expected and unexpected incidents”; Finally, inform and create awareness on the need for medical asset generators, users and providers to be more

security alert to infosec threats, risks and vulnerability. “Review response and update policies—plan and take preventative steps so the intrusion can't happen again.”

  

References

Filkins, Barbara. New Threats Drive Improved Practices: State of Cybersecurity in

health Care Organization. December, 2014. Retrieved December 07, 2016 from https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652

Incident response Plan Example – California Department… Retrieved January 8, 2016 from https://www.bing.com/search?q=Infosec+Incident+Response+Planning+in+the+healthcare+delivery+system&FORM=EDGEND