BreachExchange mailing list archives
Best Practices for Incident Response Plans
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 9 May 2017 17:21:48 -0600
http://www.hitechanswers.net/best-practices-incident-response-plans/ Data breaches cost companies an average of $221 per compromised record. Heavily-regulated industries, like healthcare, tend to have per capita data breach costs substantially higher than the overall mean. In fact, according to an American National Standards Institute (ANSI) survey of institutions who experienced a reported breach, healthcare breaches can cost $8,000 to $300,000, in addition to any U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalty or settlement. Healthcare data contains a wide range of identifying information, including social security numbers, birthdates and home addresses. This makes health information very valuable, necessitating effective breach prevention and incident response plans. Here are five best practices. Create a Patient Data Protection Committee Everyone involved in protecting Protected Health Information (PHI) at a healthcare organization must communicate with each other regularly. Creating a patient data protection committee will facilitate this communication. This committee should conduct some privacy functions for the organization, like overseeing patient privacy and security programs, performing quarterly risk analyses and assessments, and reviewing policies and procedures annually. Provide On-Going Education and Training Many breaches are caused by unintentional employee actions during the normal Release of Information (ROI) process. Unfamiliarity with proper policies and procedures for the use and disclosure of health information is frequently to blame. With this in mind, fostering a culture of compliance is key to stopping these breaches. As part of this culture of compliance, workforce members should undergo formal training at least once a year. Encrypt Utilizing technology to strengthen compliance is a must. Electronic PHI (ePHI) should always be encrypted before distribution, fortifying the data against breach. Test the Effectiveness of Compliance Program Keep your compliance program current by performing regular effectiveness tests. Mock breach exercises and the use of fake phishing emails are great ways to keep employees up to date on compliance. Assess BA Compliance It is important that Business Associates (BAs) are compliant. Conducting regular due diligence and periodic vendor audits will ensure BA compliance. Make sure Business Associate Agreements (BAAs) are in place.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Best Practices for Incident Response Plans Audrey McNeil (May 10)