How a Qualified VCISO Can Help
One of the fundamental components of a robust cybersecurity program is incident response. For healthcare providers, a detailed plan for responding to cybersecurity incidents is mandated by the HIPAA Security Rule.
Other security program elements, such as cybersecurity awareness, compliance, risk assessment, and corrective action planning, are equally important. However, incident response planning is often overlooked, and even more often untested.
Reasons for this negligence vary among organizations. In some, the security team lacks the bandwidth or skills to address certain fundamental security program components. Others do not have the budget or executive support to do so. Still, others believe that a security incident is unlikely to happen to their organization, and therefore have assigned a low priority to incident response planning. In any case, all are taking an ill-advised and unnecessary risk.
Security Incidents Happen to All Organizations
The Identity Theft Resource Center reports that the number of data breaches through September 2021 has already exceeded the total number of data breaches that occurred in the U.S. last year by nearly 20%. Through September, there have been 1,291 breaches, compared to a total of 1,108 in 2020.
In addition, the total number of cyber attack-related data breaches through September 2021 is up 27% compared to all of 2020.
The Identity Theft Resource Center is a nationally recognized nonprofit organization established to support victims of identity theft and other identity crimes. The ITRC has been tracking publicly-reported data breaches in the U.S. since 2005.
The Ponemon Institute, in collaboration with IBM, regularly reports on the costs associated with data breaches. By mid-year 2021, the average cost of a data breach had reached $4.24 million per incident—the highest in 17 years. The pandemic contributed significantly to this rise in two ways.
First, the average cost of a data breach was $4.96 million when remote work was a factor, compared to $3.89 million when it was not, according to the research.
Second, industries heavily impacted by the pandemic, such as healthcare, consumer manufacturing and distribution, and others, experienced a substantial increase in data breach costs. Healthcare has been especially hard hit, jumping by $2 million per incident to reach an average cost of $9.23 million per data breach in 2021.
In terms of primary attack vectors, data from the Identity Theft Resource Center indicates that phishing schemes and ransomware are continuing to lead by a landslide. As to the most common root cause of incidents, Ponemon research points to stolen user credentials, with 44% of data breaches exposing customer names, email addresses, and passwords in 2021.
Ignoring the Risks
With data breaches and their costs up significantly this year, it is difficult to understand why any organization’s security team would not have an incident response plan fully developed, tested, and ready to roll. Particularly an organization in the highly vulnerable healthcare industry, whether an insurer or health plan, hospital, medical center, imaging or other diagnostic centers, professional association, or physician private practice.
The effects and costs associated with suffering a data breach are numerous, and include:
Destruction or corruption of databases, systems, and applications,
Loss or theft of sensitive data, intellectual property, and other confidential information,
Remediation costs, which may include paying a ransom to retrieve stolen data, the cost of upgrading systems or applications, and personnel training costs,
Cost to notify affected customers or patients, to provide free credit monitoring as needed, and to provide other compensation,
Operational downtime in reacting to the breach and its various effects,
Legal actions against the organization brought by individuals or classes of individuals affected by the breach, and
Regulatory fines and penalties, closer scrutiny by regulators, and specific security requirements and deadlines imposed by regulators.
When an organization is able to respond quickly and effectively to a data breach, attempted breach, or other security incidents, many of these effects and their costs can be significantly reduced, and some prevented entirely.
A Virtual CISO Can Do It For You
Despite these facts, there are still organizations that are unable to prepare an incident response plan, for reasons outlined earlier. In these situations, there is a proven solution that will get the job done quickly, properly, and cost-effectively—and any qualified, virtual Chief Information Security Officer can make it happen for you.
Before we discuss how a virtual CISO (VCISO) can help, let’s review the HIPAA regulations that require a healthcare organization to have an incident response plan.
HIPAA Requirements for Incident Response Plan
For organizations in the healthcare industry, the HIPAA Security Rule is very clear in its requirement for a security incident response plan as an integral component of HIPAA compliance.
What constitutes a security incident? 45 CFR Part 164.304 defines a security incident as “the unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system.” The unauthorized access may be successful, or it may simply be attempted access—it doesn’t matter.
The security incident procedures specified in 45 CFR Part 164.308(a)(6)(i) require a covered entity “to implement policies and procedures to address security incidents.”
Its close cousin, 45 CFR 164.308(a)(6)(ii), requires the covered entity “to identify and respond to suspected or known security incidents; to mitigate, to the extent practicable, the harmful effects of security incidents that are known to the covered entity; and to document security incidents and their outcomes.”
The purpose of these requirements is to safeguard electronic Protected Health Information (ePHI). A healthcare organization or covered entity must implement a process for promptly detecting and responding to security incidents that can impact the confidentiality, integrity, or availability of the ePHI maintained in its information systems. These attributes are described as follows:
Confidentiality is the requirement that ePHI and other data be protected from unauthorized disclosure or exposure.
Integrity refers to protecting the data from being improperly modified, altered, corrupted, or compromised.
Availability requires that the information systems be well maintained and managed so that data is always accessible to those who need it.
In the healthcare industry, these three standards are woven throughout most aspects of HIPAA compliance and ePHI security.
How a Virtual CISO Can Help
A qualified VCISO with healthcare industry experience and HIPAA expertise will be extremely familiar with all HIPAA Security Rule requirements and security standards related to security incident response planning.
He or she will be able to direct and assist in the development of a process that will enable you to promptly detect and respond to data breaches and other security incidents that may pose a risk to the ePHI maintained in your information systems—thereby enabling you to comply with these requirements of the HIPAA Security Rule.
The process that is developed will be formalized in an incident response plan document specific to your organization and its business operations. Recognizing that healthcare organizations are not identical, the HIPAA Security Rule allows for some degree of flexibility in how each organization determines the most appropriate ways to address their potential security incidents.
Plan development will also encompass the following security compliance requirements governing the protection of ePHI. Hiring the services of a qualified VCISO will ensure that these requirements are addressed in the incident response plan:
45 CFR 164.306 – Security Standards General Rules
45 CFR 308 – Administrative Safeguards
45 CFR 310 – Physical Safeguards
45 CFR 312 – Technical Safeguards
45 CFR 314 – Organizational Requirements
45 CFR 316 – Policies, Procedures, and Documentation
In addition, a qualified VCISO will direct and assist in establishing a security incident response team, who will be responsible for executing the incident response plan the moment a data breach occurs (or is discovered). The VCISO will also be able to guide the team in testing the incident response plan, as well as in training the team in executing the plan.
The VCISO will also provide related recommendations for staffing, resources, and budget that may be required to support the team and the plan if any.
Clearly, a qualified VCISO will cover all the bases, making sure that your incident response plan meets HIPAA requirements and is fully compliant. Additional services related to incident response planning may also be available.
And there’s more good news. In most cases, the development of your incident response plan can be addressed as a one-time project with a finite cost. This makes the option of contracting with a qualified VCISO even more attractive.
Many organizations lack the bandwidth, skills, budget, or executive support necessary to implement an incident response plan, despite the fact that data breaches are on the rise. The number and cost of data breaches in 2021 have already surpassed last year’s statistics.
In 2021, the average cost of a data breach was $4.24 million per incident across all industries. Because of the nature of data specific to the healthcare industry, including electronic Protected Health Information (ePHI), healthcare organizations are particularly vulnerable to data security incidents and the average cost per incident is substantially higher.
While planning for data breaches and other security incidents is considered good business and a best security practice for any organization, in the healthcare industry, it is mandated by the HIPAA Security Rule. Multiple parts of this regulation have very specific requirements for protecting ePHI and planning for effective and prompt responses to security incidents. To ensure compliance with HIPAA, healthcare organizations that have not yet developed the required incident response plan can take advantage of the services of a virtual CISO who is fully qualified in the healthcare industry.