Sign up to save your podcasts
Or
Share Pressure Testing Your IRP: Why "Calling IT" Isn't a Plan (Part 2)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Pressure Testing Your IRP: Why "Calling IT" Isn't a Plan (Part 2)
What happens when the news cameras show up and your business grinds to a halt? Donna Grindle, CEO of Kardon, returns to discuss the "hair on fire" reality of a data breach. We move past the paperwork to explore why "calling IT" isn't a plan, the hidden costs of notification letters, and how insurance mazes can complicate your recovery.
Key Takeaways
- "Call IT" is Not a Plan: During a breach, IT will be busy containing the threat; you need an operational plan for when systems and phones go dark.
- The Paperwork Trap: Reverting to paper records stops cash flow because you aren't sending claims or bills—plus, you eventually have to manually re-enter all that data.
- Media & Legal Circus: If 500+ records are hit, you must notify the press. This often triggers immediate "ambulance chaser" lawsuits on social media.
- Tabletop Exercises: Don't find gaps in your plan during a crisis. Run practice drills to know who is authorized to speak for the company and what vendors to call.
- Insurance Realities: Open claims immediately to protect legal privilege, but be ready for insurance-mandated vendors that may span several time zones.
"Take ownership of it. Don't assume that somebody else in your office is handling it... You will likely lose your business or be on the verge of it if you are not prepared in some way." — Donna Grindle
Key Concepts:
Security Incident vs. Data Breach - A security incident is a panic-inducing event that requires investigation, but it may or may not officially escalate into a data breach that requires regulatory reporting.
Incident Response Plan (IRP) - A comprehensive strategy that covers far more than just IT recovery; it must dictate how you communicate with employees, vendors, and clients during a crisis.
Tabletop Exercise - A low-stakes practice run of your Incident Response Plan to poke holes in it before an actual emergency. It helps you figure out exactly who is in charge, who you are calling, and who is authorized to speak publicly.
Links:
Kardon: https://kardonhq.com/
Help Me With HIPAA Podcast: https://helpmewithhipaa.com/
Timestamps
00:00 – Intro
00:54 – Cyber Incidents vs Breaches in a HIPAA Context
01:26 – Why Operational Continuity Cannot be an IT Responsibility
03:02 – Questions to Ask During a Tabletop Exercise
03:50 – Talking to Patients on Facebook
04:06 – More Questions to Ask During a Cyber Incident
05:13 – Even "Calling My MSP" Isn't an Incident Response Plan
05:37 – When a Cyber Incident Becomes a Breach
06:09 – "Can't We Just Send a Postcard?"
06:32 – Steps to Respond to a HIPAA Breach
09:03 – Final Summary: Shifting to Active Security Ownership
09:59 – Where to Find Donna Grindle & Kardon
A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.
If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place
But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/
View all episodes
By SecurityMetrics
5
88 ratings
What happens when the news cameras show up and your business grinds to a halt? Donna Grindle, CEO of Kardon, returns to discuss the "hair on fire" reality of a data breach. We move past the paperwork to explore why "calling IT" isn't a plan, the hidden costs of notification letters, and how insurance mazes can complicate your recovery.
Key Takeaways
- "Call IT" is Not a Plan: During a breach, IT will be busy containing the threat; you need an operational plan for when systems and phones go dark.
- The Paperwork Trap: Reverting to paper records stops cash flow because you aren't sending claims or bills—plus, you eventually have to manually re-enter all that data.
- Media & Legal Circus: If 500+ records are hit, you must notify the press. This often triggers immediate "ambulance chaser" lawsuits on social media.
- Tabletop Exercises: Don't find gaps in your plan during a crisis. Run practice drills to know who is authorized to speak for the company and what vendors to call.
- Insurance Realities: Open claims immediately to protect legal privilege, but be ready for insurance-mandated vendors that may span several time zones.
"Take ownership of it. Don't assume that somebody else in your office is handling it... You will likely lose your business or be on the verge of it if you are not prepared in some way." — Donna Grindle
Key Concepts:
Security Incident vs. Data Breach - A security incident is a panic-inducing event that requires investigation, but it may or may not officially escalate into a data breach that requires regulatory reporting.
Incident Response Plan (IRP) - A comprehensive strategy that covers far more than just IT recovery; it must dictate how you communicate with employees, vendors, and clients during a crisis.
Tabletop Exercise - A low-stakes practice run of your Incident Response Plan to poke holes in it before an actual emergency. It helps you figure out exactly who is in charge, who you are calling, and who is authorized to speak publicly.
Links:
Kardon: https://kardonhq.com/
Help Me With HIPAA Podcast: https://helpmewithhipaa.com/
Timestamps
00:00 – Intro
00:54 – Cyber Incidents vs Breaches in a HIPAA Context
01:26 – Why Operational Continuity Cannot be an IT Responsibility
03:02 – Questions to Ask During a Tabletop Exercise
03:50 – Talking to Patients on Facebook
04:06 – More Questions to Ask During a Cyber Incident
05:13 – Even "Calling My MSP" Isn't an Incident Response Plan
05:37 – When a Cyber Incident Becomes a Breach
06:09 – "Can't We Just Send a Postcard?"
06:32 – Steps to Respond to a HIPAA Breach
09:03 – Final Summary: Shifting to Active Security Ownership
09:59 – Where to Find Donna Grindle & Kardon
A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.
If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place
But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/