DC
← Back to writing
Incident Response 5 min read Feb 2023

Did You Know That Having an Incident Response Plan Can Protect Your Business?

Welcome back. This week, we look at setting up incident response in your pharmacy.

What is Incident Response?

Incident Response is the steps taken to address an incident. To understand Incident Response, you must know what an incident is and the difference between an event and an incident.

  • An Event is a change of state observable in a network, system, or application. An event can be a user accessing a file, a web server receiving a request for a web page, a user sending an e-mail, or a firewall blocking a connection.
  • An Incident is a change of state caused by an adverse event with negative consequences. An incident can be a system crash, a denial of service, unauthorized use of system privileges, or unauthorized access to sensitive data.

Why Do You Need an Incident Response Plan?

All organizations should have an incident response plan.

Your actions in the first 24 hours after discovering a cyber incident or data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on your business and on any affected patients.

An Incident Response plan can also help you:

  • Meet your obligations under the Privacy Act --- privacy legislation requires you to take reasonable steps to protect the personal information you hold; those reasonable steps may include having an incident response plan.
  • Protect an important business asset --- the personal information of your customers and clients as well as your reputation.
  • Deal with adverse media or stakeholder attention from a breach or suspected breach.
  • Give your customers confidence in your capacity to protect personal information by properly responding to the incident or breach.

  1. Preparation

    • Having the people and training to recognize an incident, and technology to detect, prevent, or correct an incident.

  2. Identification

    • Verify the incident is not a false positive, understand what services are impacted, what computers or devices are affected, and who is impacted.

  3. Containment

    • Isolate the impact immediately while minimizing business impact.

  4. Eradication

    • Eliminate the cause of the incident. Clean the malware, re-image the system, or take other actions that restore operations to normal.

  5. Recovery

    • Return to a normal state. Verify that systems meet security standards prior to reinstatement in the operational environment.

  6. Lessons Learned

    • Debrief with a report summary of the incident, what happened, why, how it could be prevented, and what could have been done differently to prevent the incident.

How Can I Get an Incident Response Plan?

I recommend adopting one of the templates below and creating your incident response plan.

  • The Office of the Australian Information Commissioner has a downloadable “Data Breach Action Plan” that can serve as a simple start of a plan.
  • The Australian Cyber Security Centre (ACSC) provides a Word template you can use as a starting point. This template is potentially overcomplicated for a small business. I recommend removing sections you are not likely to use.
  • The Victorian Government provides a similar plan to the ACSC.

What Do I Do Once I Have a Plan?

In large organizations, it is best practice to ensure that the incident response process is known by all key staff and those expected to help during a breach.

Once you have a plan, I recommend you:

  • Get with your key staff, run through some scenarios, and ensure everyone understands their responsibilities. This can help you think through things you might need and take actions (Preparation --- Step 1) to get ready to respond.
  • Print out the plan and place it in an accessible spot in the pharmacy. Keeping it only on a computer that could get infected with ransomware is not good practice.
  • Ensure key staff know what to do if the incident occurs when you are not there.
    • Do you want them to call you?
    • Do you want them to call your IT provider?
    • Discuss it with them at least once every few months so new staff are informed, and long-term staff are reminded.