How to Respond When A Security Breach Occurs

Key Takeaways:

Preventing and detecting cybersecurity incidents is challenging enough, but responding to them is a diﬀerent ball of wax altogether.
Responding to an incident requires its own unique set of skills and tools that most companies don’t possess. While technical expertise is crucial for containment, effective incident response is a comprehensive program that begins before an incident occurs and continues long after the threat is removed.
It is important for healthcare companies have a strong incident response plan, as they continue to be targets of choice for security breaches. This is due to vulnerabilities in current technologies and the sensitive nature of patient data.

Podcast: Incident Response Should Be Common Sense

Since incident response issues are no longer just an IT issue and can often involve legal issues, it is important for organizations to develop an incident response team, seek outside expertise, and have an overall action plan in the event of an incident. In this podcast, LBMC Information Security’s Bill Dean discusses how a complex situation like incident response can be purely based on common sense.

Detection and Analysis

Cybersecurity Breach: Detection and Analysis Checklist

Security event detection is a struggle for most companies.

On average, it takes companies 90-120 days before learning they have a problem. This means that security teams don’t have a chance to prevent data loss or corruption— the best they can hope for is damage control.

Despite the many security tools available, attackers can still bypass traditional defenses and cause damage. Detecting threats requires a holistic approach that starts with people, prior to a technology purchase.

Threat actors rely on unpatched systems, missed or skipped alerts, and known vulnerabilities. Most of the time this isn’t a far-reaching gamble—98% of all exploited systems contained a vulnerability that had been published in the Common Vulnerabilities and Exposures (CVE) database, a tool familiar to all security practitioners, for over one year!

“The average breach cost for healthcare fell 10.6%, to USD 9.77 million. But that factor wasn’t enough to remove it from the top costliest industry for breaches—a spot it’s held since 2011. Healthcare remains a target for attackers since the industry often suffers from existing technologies and is highly vulnerable to disruption, which can put patient safety at stake.”
– IBM’s 2024 Cost of a Data Breach Report

Preparation is a vital component to mitigating cyber threats. As the saying goes, “Fail to prepare, prepare to fail.”

Three Strategies to Respond to Security Breaches

Having a comprehensive Incident Response Plan to guide your actions can be the difference between success and failure.

1. Containment

Don’t delay your response once an intrusion is identified. Do carry out your containment procedures with expediency. Containment strategies will vary, depending on the nature of the attack.

In some cases it will be appropriate to shut down affected systems quickly. In others, you will want to keep them up and closely monitor the attacker’s activities in order to gain additional detail that will be helpful during the remainder of the response.

2. Eradication & Recovery

Once the incident is contained, it’s time to start cleaning up the mess. During eradication, you will identify all affected systems and perform activities appropriate to the incident type, such as removing malware or changing passwords on breached user accounts.

Recovery activities typically involve actions like restoring files from backup, or installing missing security patches. These efforts are intended to get you back to normal business operations.

3. Post-Incident Activity & Communication

Notification of internal and external players: Don’t delay in communicating with internal departments and external vendors, partners and clients. Do outline a clear chain of communication before breach detection and follow it post-breach.

Depending on your industry and state, laws vary with regard to required deadlines to inform those affected by the breach. Following proper procedures carefully and quickly can minimize breach fallout.

Remember to contain the breach, gather your response team, and thoroughly investigate the incident. Document all details—who, what, where, when, why, and how—along with notification deadlines. Follow your communication procedures by informing authorities, insurance companies, and those affected. Finally, assign a network security team leader to oversee and update the Incident Response Plan regularly.

Cybersecurity Breach: Steps of Incident Response

IBM’s 2024 Cost of a Data Breach Report shared that only 12% of organizations queried had fully recovered from their data breaches. Most were still working on them. Among the share that had fully recovered, more than three quarters said it took longer than 100 days and roughly one-third said more than 150 days.

Why and How to Disclose Data Breaches

Reasons Companies Should Respond to Breaches

When it comes to data breaches, it is important to remember the lessons we all learned as kids. We must take ownership of our mistakes, be willing to tell the truth—even if it’s hard- and be proactive (rather than trying to sweep the breach under the proverbial rug).

Is it possible to disclose a data breach in a way that doesn’t damage your reputation? The answer is yes. But, to do so, it’s important to know both the reasons you would need to disclose a breach, along with any best practices for notifying the appropriate stakeholders.

As with many cybersecurity-related issues, specific regulations have been put in place to dictate how organizations should disclose a data breach. Those regulations fall into three main categories:

Federal Regulations—The US government has specified breach disclosure requirements for certain types of data. For healthcare organizations, HIPAA regulations outline how organizations should respond when patient health information is compromised. Financial institutions should follow FFIEC requirements for data breach disclosures.
State Regulations—California was the first state to create a law regarding data breaches in 2002. Today, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have created a set of laws and regulations that define protected data and dictate how organizations should respond to data breaches affecting state residents. Many of these states also specify safe harbor provisions for encrypted data.
Industry-Specific Regulations—Some industries have specified their own set of requirements when it comes to managing a data breach. For retailers and businesses, there are specific PCI compliance regulations that create the obligation to disclose information related to a breach if credit card data is compromised.

When it comes to determining whether you should disclose a data breach, it’s important to know the applicable regulations. It’s also a must to know the specific laws of the states in which you conduct business.

Disclosing a data breach is never something an organization wants to do, but the consequences of neglecting that responsibility can cause far more damage than taking the appropriate action.

How to Disclose a Data Breach

If your organization experiences a breach, immediately work to remediate the issue. This not only limits the damage but also reassures stakeholders that you’re taking action. Here are a few best practices when it comes to notifying appropriate stakeholders:

Disclose as soon as feasible. When a data breach occurs, people inevitably look for more information. They hear news from friends or read an article online, and they’re curious. Controlling the narrative by making factual information readily accessible is enormously important.
Be honest and accurate. There’s always a temptation to downplay an incident or provide misleading statements to save face. It’s good to avoid statements which can be misleading or unclear. Instead, focus on providing accurate information that will provide interested and affected parties with the details they need in order to protect themselves, and that will help maintain trust with stakeholders.
Commit to continual updates. The worst thing you can do is notify stakeholders, and then go dark. Make sure they are aware that you will continue to update them on the breach and the steps you’re taking to address it until the damage is completely resolved.

How can I prevent future breaches?

The common industry term is “incident response,” but what your company should be focused on instead is an incident preparedness plan. Healthcare companies, in particular, must prioritize an incident preparedness plan over simply focusing on incident response. Given the sensitive nature of patient data and the industry’s vulnerability to breaches, the incident response plan you establish during the “prevent” stage of your cybersecurity program becomes crucial when responding to a security event.

Be proactive and plan ahead, and make provisions for as many potential cybersecurity breach scenarios as possible and make sure you have a documented Incident Response Plan that covers them.

Eﬀective Incident Response plans are the playbooks for what actions to take and with whom to work during and after an incident.

If you’re starting from scratch, The National Institute for Standards and Technology Special Publication 800-61 (NIST SP 800-61) provides detailed instructions on building an incident response capability, including a handy incident response checklist.

Dealing with data breaches is challenging for any company, but especially for healthcare providers who handle critical patient information. The best approach is to start preparing today by conducting regular cybersecurity risk assessments and developing a thorough computer security incident response plan.

Whether you’ve just faced a breach or are proactively preparing, LBMC’s team of industry-specific experts can assist in minimizing breach impact, triaging incidents, and maintaining trust with patients and stakeholders.