Infosec
Incident Response Planning in the healthcare delivery system
In the evolving world of information
digitization and migration to mobile devices, especially in the health care
sector, health and medical records are attractively becoming target for cybercriminals.
According to Barbara Filkins (sans.org. 2014) medical, health, and financial
records are critically being targeted by cybercriminals because of their
profitability. She reported in her survey that “the growing presence of online
personal information, consumer-facing mobile apps, and new methods of accessing
and transferring medical data are increasingly putting sensitive protected data
at risk. Ultimately, the trend of pushing sensitive data outside an
organization’s protected environment via cloud computing, mobile identity and
access, and the Internet of (Care) Things such as medical devices that are also
subject to regulatory compliance demands
that security be pushed closer to the actual data.”
For an effective and efficient incident
response planning (IRP) requires a Business Impact Analysis (BIA) to identify
the critical resources that actual incident occurrence would affect. That also looks
into the weaknesses of “current data breach detection solutions, (infosec)
training and awareness and the negligent insider as the chief threat” (Barbara
Filkins. 2014). These resource areas range from “Hospitals, Health care
delivery system/Health care network, Ambulatory/Outpatients provider, and Clinic,
Health plan/payer (insured), Ancillary service provider (laboratory/radiology),
Pharmacy/PBM, Health information organization (HIO) and exchange, Public Health
Department, Clearinghouse and Critical access or rural hospitals” (Barbara
Filkins. 2014). The medical and health information assets that are considered
most at risk as Barbra identified, include, but not limited to, “Electronic
medical record (EMR)/Electronic health record (EHR), Personal health record
(PHR), Patient portals, Supporting infrastructure (underlying middleware,
network as a whole), Corporate assets/Intellectual property, Point-of-sales
systems, Clinical automation systems (biomedical systems, pharmacy robots),
Major clinical applications (ancillary services, laboratory, radiology,
pharmacy), Health information exchange (HIE), Mobile medical device
applications for workforce ( including contractors), Enterprise data management
systems (master person index, provider directory), Mobile applications
delivered directly to consumers, Health insurance exchange (HIE), Practice
management/Billing systems and Telemidicine/Telehealth capabilities and support
systems” ” (Barbara Filkins. 2014).
Incident Response Planning (IRP) and
timely recovery in health care delivery system would include: “assess the teams
ability to detect, respond to and contain threats” or actual occurrences; Ensure
“the organizational incident response (IR) strategy is consistent with
organizational security policy; Grant sufficient authority to the IR team to
take specified actions; Define roles and responsibilities of the IR team and
parties participating in the response process: Establish a list of prioritized
information assets and services, as well as acceptable downtime; Develop and
communicate procedures for reporting, escalation and other needed activities:
Test the IR processes (and make necessary changes); Educate the team on
emerging threats and train members to handle both expected and unexpected incidents”;
Finally, inform and create awareness on the need for medical asset generators,
users and providers to be more security
alert to infosec threats, risks and vulnerability. “Review
response and update policies—plan and take preventative steps so the intrusion
can't happen again.”
References
Filkins,
Barbara. New Threats Drive Improved Practices: State of Cybersecurity in
health Care Organization. December,
2014. Retrieved December 07, 2016 from https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
Incident
response Plan Example – California Department… Retrieved January 8, 2016 from https://www.bing.com/search?q=Infosec+Incident+Response+Planning+in+the+healthcare+delivery+system&FORM=EDGEND
http://nwachukwugwilliamInfoSec.blogspot.com
No comments:
Post a Comment