Incident response management plan
- Yes, there are standard protocols, and different cyber incidents can require a different way of responding. For example, the Privacy Act 1988 sets out a regulatory approach to managing a data breaches including a cyber security incident (where personal data has been breached).
- We recommend that medical practices have a documented data breach response plan which steps out everything required for a data breach involving personal information as well as a cyber incident response plan. As discussed in our presentation, there are 4 key steps that are required by practices after a breach is discovered. These are listed below:
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify. There is a set format that an entity must follow in responding to a data breach.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
- It is recommended to seek professional advice if a data breach or cyber security incident is suspected and to consult with the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
- If personal information has been breached there are specific steps required to inform users including identifying what personal information has been compromised and guidance to assist users to take remedial action. The ACSC also provides guidance on managing a cyber security incident and encourages notifications to them.
- Resilience by Design can assist with preparing a data breach response plan communication templates, and cyber incident response plans. Please contact info@resiliencebd.com for more.