Healthcare , Incident & Breach Response , Industry Specific
Why Healthcare Needs to Beef Up Incident Response PlansVan Steel of LBMC Information Security on Responding to IT Outages
Effective testing of incident response plans continues to be a major weakness for many healthcare sector entities, especially those facing ransomware and other disruptive incidents, says Van Steel, a partner at consultancy LBMC Information Security.
"A well-defined continuity or incident response plan starts with the security team interviewing the business and practitioners about what is critical to conducting their jobs. What I see is that that communication is broken down in some cases," he says in an interview with Information Security Media Group.
Entities often don't fully understand what the ramifications are of an incident on a particular application, platform or technology in use, Steel says.
"That criticality discussion … saying that this machine needs to be running 24 hours a day, seven days a week and cannot go down for an extensive period of time or patient care is at risk - that's not happening enough," he says.
According to Steel, entities are not "digging into" and conducting test plans for incident response involving the critical applications and systems in their environments. "It does surprise organizations that they simply cannot care for patients during an outage because they are so dependent on this medical device, or scope, or something like that that runs on the network."
In the interview (see audio link below photo), Steel also discusses:
- Recognized security practices that federal regulators say they will consider before making a HIPAA enforcement determination against a covered entity or business associate;
- Security challenges involving medical devices and other internet of things gear;
- Emerging cybersecurity issues facing healthcare sector entities in the new year.
Steel is an LBMC shareholder in the risk and information security practice. He has over 20 years of experience in information security, IT audit, and consulting services across many industries, but his primary focus has been in healthcare. During his 14 years at consulting firm KPMG, Steel worked directly with the Department of Health and Human Services Office for Civil Rights in interpreting HIPAA security and privacy law requirements, developing audit protocols and conducting performance audits against the program.