Healthcare Information Security and Privacy by Sean P. Murphy

Author:Sean P. Murphy
Language: eng
Format: epub
Publisher: McGraw-Hill Education
Published: 2015-07-15T16:00:00+00:00

Containment, Eradication, and Recovery Phase

There is probably no other responsibility of the incident response team that is more important than evidence collection and preservation, which happens primarily in containment. Of course, information that is collected in the detection phase could serve as evidence too. The responsibilities of the incident response team may now progress into formal digital forensics. As such, the team also serves as the organizational focal point for security incidents as resources are provisioned to triage, respond, and begin to recover.

Evidence gathering and preservation must include proper documentation and handling. The first step is to create a backup of the system that is believed to be infected to be used as evidence. If possible, a second copy could be made to use as a restore copy once vulnerabilities are remediated. The copies need to be stored safely by the incident response team. As mentioned, getting assistance from the healthcare attorney or human resources, for example, can help ensure chain-of-custody elements are preserved or relevant laws are followed. Sometimes, evidence collected in these incidents is used by law enforcement agencies in court cases. Those law enforcement personnel may not have access to the systems as early in the process as the incident response team and will rely on the validity of the evidence collected. A detailed log should be kept for all evidence, including the following:6

•Identifying information (for example, the location, serial number, model number, hostname, media access control [MAC] addresses, and IP addresses of a computer)

•Name, title, and phone number of each individual who collected or handled the evidence during the investigation

•Time and date (including time zone) of each occurrence of evidence handling

•Locations where the evidence was stored

Additional activities the healthcare information security and privacy professional can be expected to accomplish include the following:

•Be sure to revisit detection and analysis because it is common to discover additional systems that are impacted by the same incident cause.

•Conduct a thorough investigation.

•Begin eradication once cause and symptoms are considered contained.

•Identify and mitigate all vulnerabilities that were exploited.

•Remove malware, inappropriate materials, and other components.

•Make required changes to information systems (add patches, change code, remove access, and so on).

•Minimize newly discovered vulnerabilities resulting from a security incident.

•Report incident status and resolution information to senior management and the information systems help desk to assist any end users who are reporting concerns.

•Assist senior management in all communications to be made in community updates and notification activities to the media, regulators, and affected individuals.

•Act as liaison with upper management and other teams and organizations, defusing crisis situations, and ensuring that the team continues to have necessary personnel and resources.

•Assist with bringing the systems back to production.

•Confirm normal operations.

•Unintended consequences can occur. Short-term oversight of active systems is necessary.

•Implement additional or improved monitoring in case of another incident.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.