COVID-19 is changing the way organizations prepare and respond to an incident. To address this, Marti Arvin and Clyde Hewitt are recording a mini-series on incident response. In this podcast, they discuss what must change as a result of becoming a remote workforce.
Links to stories:
To read more about incident response read our latest blog: https://insights.cynergistek.com/blog/thinking-about-the-unthinkable-preparing-for-incident-response-with-a-remote-workforce
Hello and welcome to CTEK Voices: The Risk Perspective. I’m your host Lauren Frickle. Today, we’re back with part six of our Incident Response in the Time of a Crisis series, with Clyde Hewitt and Marti Arvin of CynergisTek.
Hi Clyde. Hi Marti. How are you?
Lauren excellent, hope you’re well. Thank you, everyone, for joining.
Marti’s going to start the conversation today with a summary of what we’ve covered in talking about the key points. Marti!
Thanks Clyde, and hello, everyone. This is part six of our series on incident response in the time of the COVID crisis. And what we want to do with this podcast is really focus on some of the key recommendations that are takeaways from the prior five podcasts. And one of those key recommendations is going to be to ensure you have adequate communication processes.
We’ve talked in virtually all the podcasts about the fact that you need to have conference bridges and conference bridges that will support all the people that need to be on them. That you have up-to-date contact information for your key personnel and that you can reach people that you’re going to have to interact within this time of crisis. So, your communication tools are going to be so critical. They’ve always been critical but particularly in this time of crisis, where people are working remotely and it’s more difficult to connect, having those strong communication processes. Has the ability to reach people and the ability to actually get on a bridge and have the conversation in a meaningful way is going to be so important. So that’s one of the key takeaways that I want to mention.
Clyde additional key takeaways?
Absolutely, when we talk about conference bridges these need to be published ahead of time so that you know all key personnel may have you know, an index card or a business card with those phone numbers that they can carry around in their wallet or purse. So that you know, they don’t have to depend upon an email to get there.
Now when since when you set up these emergency conference bridges, it becomes important to understand who is going to participate. So also, in addition to having those numbers you need to find out who’s going to be on the call and potentially what numbers are going to be dialing in. We’ve already you know with the COVID crisis and the schools, of public schools and private schools, using these conference bridges. They have already experienced cases of where other individuals are hacking into the bridges and disrupting the classes and disrupting the operations.
Because a lot of these bridges don’t have the capabilities if you have the link of stopping someone else from coming in. There’s no validation process, there’s no two-factor authentication for launching these conference bridges. So that’s one of the things that needs to be done ahead of time.
So, some other considerations and again, we’ve talked in all the podcasts about your vendors and reaching out to your vendors and knowing what is happening with your vendors. In this process and anticipating some of the changes that might have occurred because your vendors’ workforce is working remotely.
So again, think about what is happening with your vendors, who are your critical and key vendors that you’re going to need for incident response. As well as reaching out potentially to some of your vendors who are business-critical. Because what happens if they have an incident and then that business vendor is not available for you? And how are you going to respond to that? So again, thinking about what’s going to happen with vendors is another key factor to think about.
So again, we’re trying to just focus on some key recommendations and if you want more details for many of the topics, we’re going to talk about you can go back and listen to the prior podcast.
Clyde, other issues that you can think of?
Yes, Marti, you brought up the idea of vendors and key vendors. Having a list of critical vendors is going to change. I mean in a remote workforce environment; your list of critical vendors may be different than what you would see in your normal day to day to day operations. You know where everybody is working from their desk or you know, the typical, you know environment. So, it’s important to also set down spend a little time thinking about what do we need?
For example, a vendor that you know, you may not think of as critical as for technology, you know, maybe in we order laptop computers for example on a typical replacement basis. And those come in, and you know, we think about how those get configured and maybe you need to think about, okay now let’s start sending our gold image or our gold disc to our laptop manufacturer laptop supplier and let them pre-configure them before they arrived because we’re not going to have staff on site.
So, what’s going to happen is the priority of the vendors is going to move up and down depending on how the function changes. The other thing about the vendor is those vendors that are required to provide short-term notice support specifically for incident response and recovery and you know notification and things like that. How are they set up to respond, especially if everyone is in a remote environment?
For example, you know the contract, you know for your incident response vendor, you know, maybe totally different and you know, maybe you haven’t looked at that in years. Maybe you haven’t exercised that contract in years. Now is the time to go back and look at those.
So again, focusing on some key recommendations and takeaways from our prior podcast. One of the things that we didn’t mention in the prior podcast that is important when we talk about incident response and perform incident response exercises with our clients. Then we always mention and make sure to tell them they need a scribe. They need somebody who’s writing down all the different things that are happening all the different decisions that are being made.
And that is even more critical when you’re talking about these remote communications and the activities that are occurring. So, don’t forget about the scribe and as we always say the scribe needs to be somebody who doesn’t have any other responsibilities. That maybe even more challenging in the environment of remote access and everybody performing extra work because of the additional patients you’re seeing, the additional work that folks are being asked to do that they might not normally do. So, I just reiterate try to keep in mind that you still want to have that scribe if at all possible.
One additional key recommendation is on breach notification. In the podcast that we talked about that, I mentioned that you might consider doing an interim notice. If you’re hitting your deadline under state or federal law. One other thing you might think about is just doing an alternative notice and perhaps doing a notice to the media.
So that you get something out there, even if it doesn’t specifically meet the criteria of the regulations. And then one additional piece is if you have a significant data compromise that you’re going to have to notify tens of thousands of people. We talked in the podcast on that about setting up the call center and some of the concerns and issues around that.
Another thing to consider is, your call center may be able to function and take that first level call but every significant data compromise, it involves multitudes of people tens of thousands of people are going to have calls that need to be escalated to the hospital, the physician practice, the covered entity. And so, you also are going to have to keep in mind how you’re going to handle those escalation calls.
So, keep that in mind as you think about breach notification in addition to what we’ve already talked about on the podcast on that topic.
So, Clyde other key recommendations or take away from things we talked about in the prior components of this podcast series?
Yes, one of the other key takeaways would be to think about as you do incident response exercises. Draw straws and say alright, we’re going to do an exercise on incident response but then you go around and you say okay every fifth person in line step out of line. We’re simulating that you have COVID or you are you know on vacation or something else.
I mean COVID happens to be the crisis. But you know, incidents also happened, you know after COVID is you know, we get through the COVID issues then you know, you’re going to have incidents where a lot of key personnel will not be available.
I’ve recently conducted some large exercises for some major medical centers and right at the kickoff, it’s like okay so-and-so, so-and-so, and so-and-so you’re on vacation. You’re at the HEMS conference, you’re on a cruise, and you know, you’re attending your daughter’s wedding in, you know, Cancun or something. So, you’re not available.
So, you take out key personnel so that the individuals who are the front-line managers and even a few of those you take those out of the play to see if the organization can actually respond and continue to communicate and understand who’s you know, who’s in the game and who is unavailable.
So, one final comment on key recommendations. Again, I would encourage you to listen to the entire series of podcasts because we’ve talked in detail about all these topics but thinking about BYOD and what the issues are around BYOD. You may have a process in place that addresses BYOD in normal business, but we are not in normal right now. And how does that change with both incident response and just normal business functions and activities? And what are the concerns and threats around that?
So, I just encourage you to keep that in mind both in relationship to incident response and in relation to just functioning in the normal course of business in the strange times, wherein.
Clyde, additional thoughts?
Yes, BYOD also includes bring your own phone. So, we had talked about earlier. You know, how do you deal with the caller ID for outbound calls? Go ahead and start looking to configure softphone clients on some of the work computers, especially the laptops that are key personnel are going to be moving, you know to their house or their even those individuals who may be key personnel and have a desktop that they own. Maybe look at licensing so that you can have those, you know, softphone clients moved out so that the individual on the other side, maybe it’s a patient maybe to vendor will have more reasonable assurance that the person calling them actually works for your healthcare organization.
So, one other key recommendation that we didn’t talk about in the prior podcast but is very very important and something we routinely talk about when we do incident response exercises with clients is take care of yourself. So, when you think about this current environment that we’re in we just reiterate to you take care of your patients and take care of yourself. That’s true in your normal day-to-day operations and it’s also going to be true as you think through incident response.
So just keep all of this in mind and it again if there’s anything we can do to support you, feel free to reach out to us. CynergisTek has always had the philosophy that we will spend 30 minutes an hour on the phone with you even if you’re not a current client. If there’s ways we can support, you and you want to reach out to us. Please go to our website our contact information is there, our podcast series on incident response is there, along with blogs that have been written by our executive advisors. And we also have blogs and podcasts on other topics that you might be considering and thinking about through the course of this crisis, like telemedicine and compliance and telemedicine and HIPAA.
So again, I would just encourage you if you can reach out. We’re trying to support you in any way possible and we are thinking about you. But take care of your patients and take care of yourself.
Clyde, any closing thoughts?
No, Marti, you pretty much nailed it. It’s important to take care of yourself and just because you happen to be “in isolation at home” does not mean you can get out or restricted from getting out and enjoy some fresh air. So, getting out fresh air get some sunshine take care of your health take care of your family and you know, keep your co-workers notified because we are all worrying about everyone so, you know to use the social media to let people know that you’re okay.
Thank you so much, Clyde and Marti!
This concludes our series on incident response in the time of a crisis. Parts one through six can be found on our website www.cynergistek.com. Thank you very much for listening.