Exploring Security, Privacy Team Roles in Healthcare Cyber Incident Response

October 26, 2022 - Effective healthcare cyber incident response and preparedness require strong collaboration between security and privacy teams. Privacy and security experts can leverage one another’s expertise to effectively reduce risk and champion privacy and security across the organization. 

Karen Habercoss, chief privacy officer at the University of Chicago Medicine, and Erik Decker, VP, chief information security officer (CISO) at Intermountain Healthcare, understand firsthand how the nuanced roles of healthcare security and privacy professionals intersect.

At Mandiant’s mWISE conference, held in Washington, DC in October, Habercoss and Decker delivered a presentation on leveraging the alliance between security and privacy teams and how security and privacy experts can benefit from strategic partnerships with one another.

In a subsequent conversation with HealthITSecurity, Habercoss and Decker shared additional insights about security and privacy team engagement and each team’s role in incident response.

“Both privacy and security have the same institutional best interests at heart, and they're both working toward the same goal,” Habercoss told HealthITSecurity.

Achieving that goal requires a different set of skills and actions for each team. But together, privacy and security experts can improve effectiveness and efficiency in a variety of use cases, including incident response.

The Value of Security, Privacy Team Collaboration

HIPAA requires covered entities to have a designated security officer and a designated privacy officer. However, HIPAA’s flexible nature allows individual entities to determine how those roles intersect.

Throughout the conference session, Habercoss and Decker provided numerous examples of how security and privacy teams can work together to achieve a common goal. From merger and acquisition due diligence to third-party contracting, privacy and security teams can use their expertise to provide valuable insights into a variety of decision-making processes.

First, it is important to acknowledge that privacy and security teams do have different focus areas. For example, privacy teams may be focused on patients’ rights surrounding their data, how the organization is acquiring and using that data, and data confidentiality efforts.

Meanwhile, security teams may focus on a range of preventive security measures, identity and access management, data protection, cyber hygiene, and business continuity and resiliency efforts. Additionally, both teams must consider regulatory requirements every step of the way.

While not an exhaustive list of roles and responsibilities, it is clear that privacy and security teams have distinct differences and may view the same issues through different lenses. However, these differences are more often strengths than weaknesses, and there are a great deal of similarities between the roles as well.

“There is a lot that we do that's actually conjoined and similar versus disparate,” Decker emphasized. “We both educate. We both have incident management. We both govern. We both have risks.”

The way that each team goes about addressing risks and managing incident response may be different, but each team can enhance the other’s knowledge and advocate for privacy and security efforts across their organization.  

Use Case: Cyber Incident Response

Cyber incident response efforts are a key area where strong collaboration between privacy and security experts can shine. Using a ransomware attack as an example, effective cyber incident response requires privacy and security teams to remain in sync. Even if the event begins as a security incident, it could have privacy implications later on.

In the event of a ransomware attack, the security team would most likely be the first team engaged. If the security team assesses the situation and classifies the event as high-risk, the next step would be to engage the organization’s incident response team, consisting of experts across security, privacy, and legal teams.

“It is really important to bring privacy in as early as possible,” Habercoss stressed.

As the security team works to bring operations back and maintain systems, the privacy team can begin to assess any potential data impacts and consider regulatory requirements. The HIPAA Breach Notification Rule requires covered entities to notify impacted individuals of a breach within 60 days of discovery.

Also within 60 days, covered entities must notify HHS of any PHI breach that impacted more than 500 individuals. Individual state laws may have tighter timelines. As a result, engaging the privacy team as soon as there is a potential impact to patient data is crucial so that the team has time to properly assess how the incident could impact sensitive patient data.

In addition to the privacy team’s typical areas of expertise, Habercoss also suggested that security leaders lean on privacy teams to help out with adjacent tasks throughout the process.

“Some privacy teams can be engaged to do small tasks on behalf of the security team, run things down for them, and talk to varying people while they're handling some of the more technical pieces of it,” Habercoss reasoned.

It is also important to note that practicing cyber incident response plans through tabletop exercises with all relevant parties present can go a long way in making sure that all functions run smoothly when it does come time to respond to a cyber event.

Cyber incident response is just one of many ways that privacy and security teams can and often do leverage each other’s resources to gain insights, improve workflows, and further their common goal of maintaining data privacy and security.

Communication is Key

An effective partnership between privacy and security teams requires open lines of communication and a unified messaging strategy.  

“We can serve as watchdogs for each other,” Decker explained. “We have different access to the organization, just by the very nature of how our programs are set up. Cyber is heavily embedded in IT things, and there can be all kinds of technical things that happen that a privacy officer might not ever get exposed to, but they might need to be exposed to it.”

In the instance of a ransomware attack, the security team may be the first to know, and can then advocate for bringing their privacy peers into the conversation early on. In other cases, such as third-party vendor contracting, the privacy team may be involved from the start. With a good working relationship established, the privacy team can know when to nudge the security team to assess risk during the contracting process.

This relationship can also be useful when communicating risk to board members in a concise and unified way.

“Alignment on messages is incredibly important,” Decker stated. “It shows that you're a partnership. It shows that you have solid management in place to tackle those issues.”

Regular communication between security and privacy teams can help each team iron out governance and strategies, identify areas of collaboration, and communicate risk effectively.