Healthcare organizations should take a disaster recovery approach to creating their breach response plans, says Joey Johnson, CISO of Premise Health.
"The biggest thing missing so many times is organizations not testing [these breach response plans] out," says Johnson, who will be a featured speaker at Information Security Media Group's Healthcare Security Summit in New York on Nov. 1 and 2.
"Traditionally, if you test a disaster recovery plan, you learn things every time you try to recover your systems," he says. "Breach response and preparedness is really no different."
Organizations should test various scenarios, such as, for example, how a vendor breach would affect them, he says. And they should evaluate the role of cybersecurity insurance coverage.
Designating Responsibilities
In devising a breach response plan, organizations must spell out who is responsible for different components of the plan, he stresses. "There are internal components, which a technical team handles, but there's a whole other level ... such as who's responsible for responding to media outlets, what's legal [department's] responsibility and who makes the call on whether this is a breach and what and who to notify," he says.
In this audio interview (see link below photo), Johnson also discusses:
Mistakes organizations should avoid in their breach response and recovery plans; Special breach challenges that Premise Health faces as a provider of healthcare services to other companies' employees at their worksites; Predictions about the cyber challenges the healthcare sector will face in 2017.At the Healthcare Security Summit, Johnson will participate in a panel discussion on creating an action plan for responding to data breaches.
Johnson has more than 15 years of cybersecurity experience. As the CISO of Premise Health, a Brentwood, Tenn.-based provider of worksite healthcare services, Johnson leads all organizational efforts related to cybersecurity; IT and security compliance and policy development;, security audit; and vendor risk management. Previously, Johnson held technical and program leadership roles in the public and private sectors. He formerly served as chief security officer for the U.S. Department of Commerce - Office of Computer Services, and held various security and network architecture roles leading the design and implementation of complex enterprise networks for airports, hospitals, universities and federal agencies.