New Guidance for HIPAA Breach Response Plan

NIST Draft Publication Provides Guidance for HIPAA Breach Response Plans


By Matt Wimberley, Santa Rosa Consulting

The National Institute of Standards and Technology (NIST) just released a new draft revision to its Computer Security Incident Handling Guide. HIPAA Privacy and Security officers should take note and review carefully. While NIST does not have full force of the law for non-federal agencies, the organization’s documents are still looked at as a state of the art security source and the organization’s guidelines shown clear deference by the Department of Health and Human Services (HHS). As discussed in a previous blog on the importance of encryption in your organization’s strategic plan, the HHS simply points to a NIST publication as grounds to completely avoid publicly reporting otherwise reportable HIPAA security breaches.

[Related Article: Encrypting ePHI to Achieve HIPAA Security]

With NIST’s last revision being in March of 2008, any plans previously structured around the old document must be revisited for your organization’s breach response plan to remain state of the art. The OCR’s Wall of Shame currently shows 479 organizations with breaches of 500 of more individuals (approximately 21 million patients). If your organization ends up in a similar bind, having a current, state of the art breach incident response plan in place will alleviate some of the stress from such a high-profile event. For example, a clear plan of action can take some of the sting out of the negative press likely to follow any breach.

Some of NIST’s key inclusions in its latest publication are:

A Formal Incident Response Plans Must Be Established. If you haven’t done this already, now is the time. NIST recommends putting in place handling and reporting procedures (document these), creating courses of actions for dealing with third parties in regards to the breach, developing a structured breach response team complete with lines of communication, and obviously providing the team with the necessary staffing and training.

Preventive Measures are a Must. Proper controls and procedures are clearly a key component of avoiding and mitigating breaches. Ensure your organization is up to date on the latest advances in technology.

A Strategically Targeted Focus is Important. NIST itself states that “it is infeasible to develop step-by-step instructions for handling every incident.” Surely, this should lead to a sigh of relief, but it does not remove your organization’s responsibility to prepare responses for the majority of attack types. It does, however, indicate the importance of prioritizing. We recently chose to execute this approach with a large client who simply didn’t have the resources to prepare for every possible attack type. To do this, we developed an Inherent Risk Model for systems, which allowed them to strategically target their resources.

Detection and Analysis are Critical. Being able to quickly identify problem areas are crucial to quickly mitigating damage. This also leads to better handling of another NIST recommendation, which is having written guidelines in place for prioritizing incidents.

Lessons Learned. As with any negative organizational event, no matter the culpability, it will be important to critically examine the response and work to eliminate any gaps and failings in the future.

A Resourceful Set of Appendices. The appendix include response scenarios, data to collect in response to breaches, useful planning resources, a FAQ regarding incident response, the major steps that must be taken after an incident, and a very useful change log for those of you who built your plan off the older revision.

Be mindful that the NIST publication should serve as an excellent guide and checklist for your breach incident team, but should not be thought of as strict rules. The document wasn’t written specifically for HIPAA breaches and will need to be tailored to the unique world of HIPAA compliance and breach incidence response.

Matt Wimberley is a consultant and blogger at Santa Rosa Consulting where this article post was first published. Santa Rosa Consulting is a national provider of management consulting and information technology services to the healthcare industry.