The recent Anthem breach may potentially affect 80 million people. Employers who contracted with Anthem as an insurer (or as a third party administrator for their self-insured plans) must now realize that defending their digital perimeter is not enough. Health insurance companies (and their brokers, TPAs, and other insurance support organizations) and large health/hospital systems, who are subject to myriad federal (HIPAA) and state privacy and security laws, are all vulnerable and should prepare now. You should assume that successful cyberattacks will occur, and you should create an effective cyber incident response plan and test it to be sure you are prepared for a breach.
What is a CyberIncident Response Plan?
A cyberincident response plan is just what it sounds like: a contingency plan to guide you through a data breach. Sample actions of a plan include:
Why Do You Need a CyberIncident Response Plan?
You need a cyberincident response plan for one simple reason: companies that have such response plans handle data breaches better.
A cyberincident response plan limits damage by reducing recovery time and costs and maintains the confidence of vendors and customers. A well-tested cyberincident response plan gives you control by delineating clear roles and responsibilities across the organization so you know who will have decision making responsibility; establishing that internal coordination and reporting are mapped along with preapproved documentation (e.g. scripts to handle customer calls, correct notices, updated contact info; forensic and response firm contracts are in full force and effect; and (if applicable to the organization) a detailed HIPAA “breach” investigation and notification procedure); and by ensuring that minor events do not snowball by routinely monitoring systems and creating a culture of compliance through ongoing efforts around training, documentation, and change management.