Q&A: Responding to a potential security breach

Q: A person handling PHI from a remote location admitted that he had clicked on what turned out to be a malicious link in his personal email while he was using a company laptop. The laptop contained access to patient data and PHI. This is the first time such an incident has taken place in my department. What should our response plan look like in this situation?

A: The first step would be to isolate the infected laptop—disconnect it from the company network. That goes a long way to prevent the malware from infecting other workstations and servers on the company network. It is important to preserve the evidence if you think the attack may have led to a breach of PHI or personally identifiable information. Law enforcement cannot investigate the incident if the evidence is destroyed.

Hopefully you already have a security incident response plan (IRP) in place, including a trained security incident response team, and you’ve made sure all employees know whom to contact and how quickly to do so if they suspect they’ve been attacked. Don’t wait until a security incident occurs to write your IRP. The faster you respond, the lower the risk and the potential for breach. As an example, if staff are not trained on what to do, they may wait days before informing someone. That may lead to the spread of the malware throughout your network, which could lead to breaches, ransomware, and blocking your access to the outside world (a distributed denial of service [DDoS] attack).

To prevent future similar incidents, it is important to conduct periodic mock phishing exercises and, of course, provide remedial training to the employee who clicked on the bad link. Mock phishing exercises are good at identifying the level of risk you are facing when it comes to phishing and other social engineering attacks. The exercises are also good education for staff: When they click on the mock phishing link, they could be notified of the mistake and what they can do to avoid clicking on malicious links in the future.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.