When You Get Hacked, "Calling IT" Isn't A Plan
For small business owners, an incident doesn't just mean calling IT, it means operations shut down for days, VoIP phones go dark, and the cash flow stops.
For small business owners, an incident doesn't just mean calling IT, it means operations shut down for days, VoIP phones go dark, and the cash flow stops.
Welcome to the nightmare scenario. In Part 2 of our conversation with Donna Grindle, we move past the compliance paperwork and talk about what actually happens the moment you realize you've been breached.
For small business owners, an incident doesn't just mean calling IT, it means operations shut down for days, VoIP phones go dark, and the cash flow stops. Donna breaks down why going back to paper records is a massive financial risk, how ambulance-chasing lawyers will target you on social media, and why your cyber insurance might force you into a global maze of vendors.
"Take ownership of it. Don't assume that somebody else in your office is handling it... You will likely lose your business or be on the verge of it if you are not prepared in some way." — Donna Grindle
Security Incident vs. Data Breach A security incident is a panic-inducing event that requires investigation, but it may or may not officially escalate into a data breach that requires regulatory reporting.
Incident Response Plan (IRP) A comprehensive strategy that covers far more than just IT recovery; it must dictate how you communicate with employees, vendors, and clients during a crisis.
Tabletop Exercise A low-stakes practice run of your Incident Response Plan to poke holes in it before an actual emergency. It helps you figure out exactly who is in charge, who you are calling, and who is authorized to speak publicly.
Kardon: https://kardonhq.com/
Help Me With HIPAA Podcast: https://helpmewithhipaa.com/
00:00 - Introduction
00:54 – Cyber Incidents vs Breaches in a HIPAA Context
01:26 – Why Operational Continuity Cannot be an IT Responsibility
03:02 – Questions to Ask During a Tabletop Exercise
03:50 – Talking to Patients on Facebook
04:06 – More Questions to Ask During a Cyber Incident
05:13 – Even "Calling my MSP" Isn't an Incident Response Plan
05:37 – When a Cyber Incident Becomes a Breach
06:09 – "Can't We Just Send a Postcard?"
06:32 – Steps to Respond to a HIPAA Breach
09:03 – Final Summary: Shifting to Active Security Ownership
09:59 – Where to Find Donna and Kardon
Donna Grindle: You have to notify the press, the local news. And you know what? Sometimes they show up in your office, lights and everything right as you close. And this is the part I hate the most, is the minute those come out. You see postings all over social media. “If you are a victim of this cyber attack” and they're immediately going to file those.
Jen Stone: Hello, and welcome back to Practical Cybersecurity. Donna, I'm delighted to have you back again. I don't want to scare people, but I don't know, maybe I do want to scare people. What happens when things go wrong? What happens when you have a breach and have to report it to OCR? What? What goes on then?
Donna Grindle: Well, first, you can have an incident that is not a breach. Let's work on our terms. You have a security incident; it may or may not be a data breach. First and foremost, we have a security incident, and we have to understand what's happening there. That is the "hair on fire" panic time.
When we say you need to have an Incident Response Plan, it's not "I'll call IT." That's not an IRP. And to just say the owner of the company and the managers will handle it—that’s not an IRP because you need so many other things. You'll have an IRP that says, "Well, IT is going to jump in and take care of it." Okay, who's going to handle IT’s work while they're handling that? Because we're not talking an hour; we're talking days.
They're going to have to shut things down in order to figure out what's going on and make sure they eradicate the problem. You can't leave things up and running while they’re figuring it out because it just gets worse. You've got to contain that thing. The IT people don't need to be figuring out how to set up some stuff for your cloud backup solution; you're going to need somebody else. They're not going to be able to make your phones work because everybody's got internet-based phones now. If your phones don't work, how do your patients contact you? How are you going to contact your patients or your clients?
You know, so often there’s this disconnect between the IT part of it and what really happens. And that's the part you really need to sit down. Until you've done what we call a Tabletop Exercise, where you sit down and truly understand what happens, you don't see the gaps.
It does give you the opportunity when you say, okay, well, so-and-so reported this, what do you do? And everybody's like, “well, I guess I call so-and-so”, Okay. And so-and-so says, “well, yeah, I got to go look at that.” So what do you do? “Uh…”
Jen Stone: And tabletop exercises are great because they poke holes in your incident response plan. If you’re trying to figure it out in the moment when everyone is stressed out, that’s the worst time to try to figure something out. But a tabletop exercise lets you dip your toe in. It’s the idea of “Do we know what we’re doing? Do we know who we’re calling? Do we know who is included [in the plan] do we know who isn’t included? Do we know who is allowed to speak for us? Are we going to just talk to our customers on facebook at that point?
Donna Grindle: And if they do start putting stuff on Facebook, you don't talk to patients on Facebook.
Jen Stone: No you don’t!
Donna Grindle: And we seen it happen.
Jen Stone: That’ll make that breach so much worse
Donna Grindle: Everything goes downhill after that. You got to have a plan. How do you communicate with your business partners, your vendors, your clients your patients whatever. You're who's coming in tomorrow? People that are actively there in your office right now, what are you going to do with them?
How do you deal with your employees? What are you going to do with them? You've got to figure that out. And then and so often in health care, they say, well, we'll just go to paper. Great.
Jen Stone: When’s the last time they worked on paper though?
Donna Grindle: Yeah. Some of those people have never worked on paper. That's number one. Number two. When you go to paper, then you've got to get all that back into the system somehow. And while you're on paper, you're also not sending out claims and bills, so you're not getting paid.
Jen Stone: And do you have enough time and people to do that? Who knows? Better Test it and find out
Donna Grindle: You need to understand that you're going to need help. And where are you going to get it? And if we work better as a community to understand that and we're seeing that like some guys, you know, they had a horrible attack on the MSP. Well, if you think your IT company’s getting attacked and you're going to be the number one thing, they're going to worry about. No they can't. That's to worry about everybody.
So there's so many variables that you have to have in the plan. But then let's say we get to the point that we have a data breach and everybody thinks, well, you just sent a letter. Okay. Do you know how much those cost? Do you know where you're going to send them? Because if you don't have a relationship in advance, you have to have a business associate relationship in place to generate the letters and send them through a mailing service.
Jen Stone: And do you know how to mail them out in a HIPAA compliant manner?
Donna Grindle: Yes
Jen Stone: Because that’s another step where you could make it worse if you don’t have a plan
Donna Grindle: In a meeting, actually had a doctor say, well, can't we just send them postcards to tell them about the data breach? And I'm like, only if you're going to plan to send them a letter after that telling about that breach that you just did with the postcard, and you could see the recognition. So you got that to worry about.
You've also got a report to HHS. And really, everybody starts worrying about that, honestly, least of your concerns, because the next thing that happens is if 500 or more, you have to notify the press, the local news. And you know what? Sometimes they show up at your office, lights and everything, right as you close. I've seen it happen. Where, you know, they're like, what do you say about this?
And this is a part I hate the most is the minute those come out. You see postings all over social media. “If you are a victim of this cyber attack,” this firm, and there's usually two at least that are going to file a suit at least one, usually two, and they're immediately going to file against you. As soon as they get one person they're going to file.
That is the thing that will be the biggest PITA in the whole thing. But the other thing that's really, really important is if you have that cyber coverage, you better know what it covers number one. Number two, you better know when you have to open a claim and you want to open a claim immediately. You'd rather open a claim that never turns into something than not open it in time.
Because all this legal stuff, remember that civil lawsuit you need thing under privilege, not for OCR, for all the civil cases they cover your attorney. And by the way, now some of those insurance companies, they only let you work with certain vendors, but, I mean, I was literally on a case working on a case with a data breach, and it may have been here in Georgia, and their insurance company is in Tokyo, and they have them work with a representative in San Francisco who uses lawyers in Texas, who uses, the forensics people in London.
Jen Stone: And how would you know that if you didn’t open your claim early?
Donna Grindle: Well, and until you really trigger it, you don't see all of that happen, you know? And they're like, you're just a little breach. We'll get to you later.
Jen Stone: So in closing, now that we have possibly overwhelmed small business owners with this talk of HIPAA, what is one piece of advice you would give them?
Donna Grindle: Take ownership of it. Don't assume that somebody else in your office is handling it. Because if you are not the one saying we have to have this done, how can I help? Then the culture is the rules don't really apply. We're just checking boxes. And this is not regulatory compliance anymore. I mean, it's involved, but you will likely lose your business or be on the verge of it if you are not prepared in some way. That is the most important thing.
Jen Stone: Excellent advice. Alright well, if people are now intrigued and want to hear more from you, or about you or connect with you, what’s the best way to do that?
Donna Grindle: You can go to kardonhq.com. HQ which is help quick or headquarters depending on your needs. If you go to the website, there's contact us there. You can always just email. And, you can listen to the podcast. You can reach out to us there, you can reach out on social media, connect on LinkedIn. We're everywhere that you want to be. I don't know if that was a flashback
Jen Stone: That was fantastic. Well Donna, I just love talking to you. Thank you so much for spending some time with me here today. We will connect again soon
Donna Grindle: I can't wait.
.svg)