Incident Containment: When your 4.7 seconds come, how will your team perform?


There is 4.7 seconds left in the game. The score is tied. The ball is in-bounded...and we know the rest. Villanova junior, Kris Jenkins, takes a pass from senior, Ryan Arcidiacono, and sinks a 3-pointer, leaving 0.0 on the clock. Sure, this is a shameless plug for my alma mater, but is also one of the best finishes in NCAA Basketball Championship history.

With so much on the line, how does a team remain cool and execute? Practice, of course - knowing the situation will happen, and repeatedly preparing for it. As Villanova’s senior point guard Ryan Arcidiacono said of the final play: “(It's) something we work on every day..."

What if more organizations took the same practiced approach to their incident response planning and execution? As security professionals we know the threats facing our organizations. Known threats continually evolve. Zero-day exploits occur before we can adequately defend. In this environment, the only certainty is that it’s not a matter of if, but a matter of when an attack will penetrate defenses. When this occurs, the last line of defense is a finely-honed incident response plan.

The most recent study of 223 healthcare executives by KPMG showed that nearly 80 percent of their IT environments had been compromised. In fact, 13 percent of those organizations are hacked at least once a day while 38 percent see 50-350 breaches a year and 44 percent see 1-50 breaches a year. In a good program, it may be exercised once a year.

As healthcare organizations become savvier at detecting breaches, their next priority must be to respond and contain better. The KPMG survey revealed that 45 percent of healthcare executives did not feel that they had adequate IT security resources for handling their current level of incidents. Getting to that critical point of containment is crucial to mitigating and minimizing the costs of an attack – financial, legal, productivity, morale – and protecting one’s patients, members and customers from identity theft. It offers the first opportunity to take a breath, analyze, and begin the process of recovery. Getting there quickly requires practice.

Our Security, Privacy, and Compliance team emphasizes the following guidelines when we work with a client to create a custom Incident Response Plan and when we meet with them regularly to put the plan through its paces.

  • Where is the plan? Are physical copies maintained in addition to an on-line copy?
  • Are roles and responsibilities clear?
  • Does staff know how to recognize an incident and initiate the incident response plan?
  • Is current contact information maintained? Do the contacts in the plan know they’re part of the plan? Have they been involved in practicing the plan?
  • Are adequate vendor service-level agreements in place?
  • Will you share knowledge of the threat with neighboring/regional organizations?
  • Is the plan exercised frequently (not simply once per year)?

As the saying goes, “amateurs practice till they get it right, professionals practice till they can’t get it wrong.” In the current environment of continually advancing threats to the security of information systems, incident response plans can’t sit on a network drive marked “in case of audit, break glass.” They need to be practiced – often – and until you can’t get it wrong. When your 4.7 seconds come, and it will, how will your team perform?

Learn More: Let’s look at your Incident Response Plan, together. How can we help your team be ready and practiced for when it’s time to respond and contain quickly? BluePrint can help.


More about the author...
MarkFerrari IntroMark Ferrari brings over 15 years of healthcare IT experience to BluePrint with the unique perspective of working both for provider and vendor organizations. Prior to joining BluePrint, Mark served as a Principal Consulting Project Manager for Siemens Health Services Corporation where his primary focus was working with clients to implement the MobileMD HIE platform. Mark was also involved in EMR implementation initiatives in support of clients’ pursuit of Meaningful Use. During his tenure at Healthcare Data Exchange (HDX), Mark led a redesign of implementation and project management methodology, and Mark successfully managed certification efforts for Siemens with the Electronic Health Network Accreditation Commission (EHNAC), as well as their OCR audit preparation. Mark chaired his division’s Compliance Advocacy Committee, delivered quarterly Privacy and Security training, and sat as a member of Siemens Heath Services’ Protected Information Management Council.

Mark received a Bachelor of Science in Business Administration from Villanova University, earned a Master of Science in Emergency Management from Millersville University of Pennsylvania and holds certifications as a Project Management Professional (PMP) and a HealthCare Information Security and Privacy Practitioner (HCISPP). Mark served as a Captain in the U.S. Air Force, commanding a Minuteman III missile combat crew and brings 20 years of active experience in Emergency Medical Services.

Email Mark | Follow Mark on Twitter | Connect with Mark on LinkedIn