Recently Cris Ewell, PhD, CISO of Seattle’s Children’s Hospital, discussed his organizations data breach response plan in a webinar with ID Experts. During the webinar he went over his organizations experience and models for managing a data breach starting with the idea of when and not how. That data breaches were bound to happen and that they needed to operate “under the assumption of a breach. You have to expect that [a data breach] is not a matter of if but when.” Below are some of his challenges and support ideas.
According to Dr. Ewell, Seattle Children’s — like many hospitals — struggles with a few challenges when it comes to preparing strong incident response management plans.
1. Organization. Determining who is involved in a hospital’s data breach response can be a challenge. Seattle Children’s has struggled with who should be accountable for incidents.
“This is bigger than information security and privacy. You’ll hear me talking about making sure you involve everybody in the organization, from the board level to hospital trustees down to the individuals at the help desk,” said Dr. Ewell.
Organizational challenges also involve cultural issues. According to Dr. Ewell, it is important for hospitals to break down the silos of the hospital to implement multidisciplinary incident response and management teams.”
“5 elements of Seattle Children’s data breach response culture
Part of Seattle Children’s success in data breach response management can be attributed to its culture of governance and organizational support. However, the hospital also has a clearly defined process for response with specific designations for responsibility. Here Dr. Ewell elaborates on the elements that have led to the hospital’s strong information security and breach response.
1. Governance. Seattle Children’s governance structure for its data breach response management is clear and well laid-out. Strong governance will transform the entire organization into a risk-based organization that looks at security and privacy issues holistically rather than departmentally, according to Dr. Ewell. The hospital’s strong governance is evidenced in its detailed plan, which includes six steps: preparation and planning, discovery and report, analyze and assess, response, recovery and remediate and post-incident. According to Dr. Ewell, the first step — preparation and planning — is his responsibility.”
You can read the whole article “5 Elements of Seattle Children’s Data Breach Response Management Program” here.
You can watch the complete webinar here.