Risk: A practice that doesn’t identify members of its incident response team and assure workforce members are trained and that incident response plans are tested.
Explanation: An incident response consists of defining, clearly, what constitutes a security incident and a step by step approach to how to deal with the situation afterwards. Without an effective incident response and training of the workforce involved, the security of ePHI will always be a far cry. In the absence of incident response and workforce training, the security of your system will be compromised. Not to mention, it will also increase the cost, time of recovery and will exacerbate the damage done to your critical processes.
Primary Mitigation: An effective incident response plan would consist of following components:
- Identifying the roles that will participate in incident reporting and response.
- Providing role based training to the workforce involved.
- Incident response testing.
- Making observations and recommendations on how to improve incident response.
- Identifying who will speak to the law enforcement, business associates, the media and the patients in the event of an incident.
- Carefully training the members of the incident response team.
Secondary Mitigation: Training and increasing awareness regarding incident in other workforce members too.
Success Criteria: Successfully identifying which situations qualify to be labeled as an incident and successfully handling those uneventful events without compromising the security and mitigating the cost and time of recovery.