Sunday, May 31, 2015

Everything You Need to Create a Healthcare Data Breach Notification Plan

Healthcare data breaches have moved front and center in the news lately. In fact, 2015 has been called "The Year of the Hack." As many people admit, it’s not a matter of if your organization will be breached, it’s just when the breach will occur. One important thing all organizations should prepare for is what, how and to who they should communicate when the breach occurs. Having a Security Incident Response Plan assembled prior to a breach will go a long way toward ameliorating the negative impacts a breach will have for your organization.

This post provides a list of great resources that can be used to create a Security Incident and External Breach Notification Plan. The materials were developed by government agencies like the NIST, DOJ, private companies like Experian and Microsoft, associations like the American Bar Association and leading security consultants. 

What Goes into a Good Plan?


Gives a good overview of how to “Establish and implement a written data breach response policy”


Really good info!


More info on what should be included in a good plan.


Good RACI chart for assigning responsibilities – Other useful info too


Good questions to answer before and after a breach: See pages 10, 16, 21, 26. Also, this fellow Lenny Zelster appears to be a very knowledgeable consultant. I don't know him personally but he might be a good consulting resource.

What Kind of Questions Should You Ask or Will You be Asked?

Questions that need to be addressed. Sample questions others may ask for which you’ll need to be prepared.


Appendix A contains incident response scenarios and questions for use in incident response tabletop discussions

Appendix E identifies resources that may be useful in planning and performing incident response.

Appendix F covers frequently asked questions about incident response.

Ok. It Happened!


Overview from Experian including info on HIPAA.


Some good info from Microsoft


And a word from the lawyers... :)

Don't Forget Those Pesky State Regulations


For instance:

States In Which Definition for “Personal Information” is Broader Than the General Definition

States That Require Notification Within a Specific Time Frame

Best Practices, Cheat Sheets & Templates – Oh my!


Recent Guidance from DOJ


In Word & Excel formats


Good steps – see page 10-14

That's All Folks!

So there you have it. The above is pretty much all you'll need to assemble a good security incident response plan. There’s no need to develop a plan all on your own. As someone once said: “Good artists borrow, great artists steal.”

For other information on healthcare and information technology, consider following me on Twitter.



No comments:

Post a Comment