The Cybersecurity Unit of the U.S Department of Justice (DOJ) has produced a new set of guidelines to assist organizations prepare for data breaches to enable them to take prompt action to mitigate damage and address security vulnerabilities.
The DOJ felt that smaller organizations were unsure about the correct breach response, and aimed its guidance at these companies rather than large corporations and healthcare providers which are likely to have already implemented appropriate policies and procedures.
A step by step guide is also included to help organizations prepare for the inevitable and the guidelines detail the steps that must be taken directly after the breach to minimize continuing damage along with a useful section covering actions that must not be taken, such as continuing to use an infected system to communicate.
Unfortunately, while steps are listed, not all will be appropriate for every organization. It is therefore essential that companies develop their own breach policies and procedures to match their own infrastructures.
The guide point out certain critical measures which must be implemented before and after a data breach, but says it is up to each organization to determine which are its “Crown Jewels” or the data that requires the greatest level of protection. Safeguards must be implemented to provide the required level of protection and should the response must take the level of risk into consideration.
The DOJ Guide suggests using the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework guidance to form a comprehensive plan that will implement all of the appropriate safeguards to prevent a data breach, while ensuring that rapid action can be taken as soon as a breach is discovered.
The DOJ has worked closely with organizations in both the private and public sector and has used the “lessons learned by [its] federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and trade-craft can thwart recovery.” The advice comes from the DOJ’s experience in dealing with organizations that have previously suffered data breaches and have already had to put their breach response policies to the test.
The guidance has not been developed specifically with the healthcare industry in mind, but the guidelines do provide useful tips that will be invaluable to security officers and the advice can help prevent breach notification HIPAA violations. Security officers and healthcare IT professionals should consult the guide for advice, although healthcare-specific requirements should be obtained from the Department of Health and Human Services’ Office for Civil Rights.
The volume of data breaches suffered by the healthcare industry has increased substantially in recent years and hackers are now targeting the healthcare industry due to the high value of the data that is held.
A data breach is now inevitable, so it is essential that healthcare providers, health plans and healthcare clearing houses are properly prepared. The Office for Civil Rights is monitoring breach responses closely and can issue substantial financial penalties when organizations fail to act quickly and take the appropriate steps to notify victims, address security risks and mitigate damage.