1. As a member of the crisis team put in place to respond to this security breach, what are two administrative, physical, and/or technical security safeguards that you would recommend be put in place? Why and how would you go about doing so?
2. What approach to information technology governance do you think would work best in addressing this situation? Why do you think that that approach would work better than other approaches? Explain your reasoning.
Expert Answer
Hi,
Below are the answers-
Answer 1-
Steps to respond to security breach-
1. Assemble a Task force of security team-
Appoint one leader who will have overall responsibility for responding to the breach. Obvious choices are your CIO or chief risk officer. Include representatives from all relevant areas, including IT, to trace and deal with any technical flaws that led to the breach; and corporate affairs
2. Containment of the Effects of security breach- The taskforce should first identify the cause of the breach and ensure that it is contained.
Steps may include:
a) Installing patches to resolve viruses and technology flaws. The ‘Heartbleed’ security bug identified in April 2014 at one time compromised 17 per cent of internet servers
b) Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.
c) Disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and blocking the accounts of users that may have been involved in wrongdoing.
d) Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies or disabling links that have been mistakenly posted.
3. Assess the extent and severity of the breach
The results will dictate the subsequent steps of your response. A thorough assessment involves:
a) Identifying who and what has been affected. If it’s not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation.
b) Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers)
Security Safe guards-
Physical Safeguards
Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information
Technical Safeguards
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Answer 2-
Approach to information technology governance
Communication: Both internal (inform employees and involve everyone able to help, i.e. tech specialist, client service managers, PR & communication team, etc.) and external (direct mailing to the clients, official media release – and, if necessary, also interview to the profile press).
Basic rules in this case are:
Be open and sincere. Admit if the fault was on company’s side and accept responsibility.
Provide details. Explain why the situation took place.
Mitigate. Make conclusions out of the disaster and describe solutions for affected users. If possible, prepare a special offer for the affected audience.
Educate. Explain how to prevent similar issues in the future.
Invite to dialogue. Involve your clients, industry experts, analysts, media people and general public to the broader discussion about the source of the problem.