How to respond and recover from a cyber security incident

    • clock-o Published
    • user Posted by Jamison Phillis

If you’ve had a cyber security incident recently or in the past, you know it’s a stressful and costly time for any company or individual.

For a medical clinic or a business dealing with people’s sensitive data, extra care must be taken to mitigate damage and recover with your operations and records intact.

While the best protection against cybersecurity threats is proactive planning (Read: How to protect your medical practice from cybersecurity threats), incidents do happen.

Discover what steps you should take should a cyber incident occur.

1. Don’t panic

If you or someone on your team suspect an incident has occurred, don’t panic. People will look to leadership in this situation for calm and assured direction.

Rash decision-making could make the situation worse and lead to further anxiety and confusion. However, being too slow or ignoring the situation will also have a negative impact.

2. Follow your Cyber Incident Response Plan

If your clinic or business has a formal cyber incident response plan in place, start there. This plan will outline the steps you take, both internally and externally to recover from an event. 

Need a template for Cyber Incident Response Plan? Find one here

3. I don’t have a response plan, now what?

If you haven’t prepared for a cyber incident, depending on its severity, you’ll need to prioritise this event immediately. If you or your team is locked out of clinic systems, and money or data has been stolen, it can put a dead stop to operations.

Simply, there is no single way to respond to a data breach. Each one will have its own set of factors and actions that would be most effective in reducing or removing risks. Generally, you should follow 4 key steps as outlined by the Australian Commissioner’s Office. 

Step 1: Contain
Step 2: Assess
Step 3: Notify
Step 4: Review 

More details on these steps can be found here: Data breach preparation and response from the OAIC

4. Step 1: Contain 

The first step in response to a breach is to limit any further compromise of information. That often means a system shutdown or changing access. 

In this first step, all the proper channels should be notified of the breach. If you have a cyber incident response plan, those should be listed. If not, create a relevant list, including your legal team and IT company. They will be able to help start the containment process.

During this stage, be careful not to destroy evidence that may identify the cause of the breach or evaluate other risks.

5. Step 2: Assess

Evaluate the data breach by getting all the facts and understanding the risks and how they should be addressed. The goal here is to limit the impact of the breach as much as possible on all parties in your business.

Create your “action plan” – appropriate steps to gain back what was lost, understand who to notify and when, and if any remedial action must be taken.

Depending on the severity of the breach, you may have an obligation to report under the NDB scheme and may be subject to fines. 

More: The Australian Government has passed new legislation to issue larger penalties for data breaches.

5. Step 3: Notify

If the breach is classified as an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the to notify individuals and the Commissioner.

*An eligible data breach is one likely to result in “serious harm.”

For minor data breaches, while still important to mitigate, a full notification strategy may not be necessary and cause more harm than good to the employees and people you serve.

Each incident will need to be evaluated on a case-by-case basis to determine whether notification is required. It’s important to consult with your legal team to understand your obligations.

*Read more about eligible data breaches in Part 4 of the Data breach preparation and response from the OAIC

5. Step 4: Review

Once you’ve contained the incident and dealt with the fallout, it’s time to learn from the event to prevent future cyber attacks. Cyber security is everyone’s responsibility, so a company that talks about digital health frequently and promotes a culture of coming forward will be better placed to ward off an incident.

Your review should evaluate:

  • Your Cyber Incident Response Plan, if you had one in place.
  • Company policies and procedures 
  • Employee training 
  • The actions of parties involved in the breach

The results of your evaluation will show you weak areas to prevent future breaches at your business or clinic. Perhaps you need to educate employees on proper working-from-home practices or update your systems and technology. Either way, having good partners on your side is critical to recovery from future incidents.

“Cyber security cannot be outsourced. It must be addressed internally to maintain realistic security.”

Jamison Phillis, Director of Operations at GPsupport

GPsupport is the leading IT specialist for opening, supporting, and growing healthcare clinics across Australia. 

We provide medical practices with the end-to-end technology they need to deliver vital care to the people of their communities. We do this by managing our clinics’ complete technology needs, all under one roof.