Blog
← Back to Blog
September 03, 2018 cybersecurity

Labor Day 2018: Building an Incident Response Plan Over the Long Weekend

Incident response and security operations Business planning and incident preparation

Happy Labor Day. If your practice experienced a ransomware attack Tuesday morning, would your team know exactly what to do? Who to call first? Whether to shut down the server or leave it running? How to communicate with patients whose appointments are affected?

If the answer to any of those questions is "I'm not sure," you need an incident response plan. And this long weekend is a great time to build one.

The One-Page Incident Response Plan

An incident response plan doesn't need to be a 50-page document. For a small practice, one page is enough. Here's the template:

Section 1: Detection

Signs of a potential incident:

  • Ransom note on screen or inability to open files
  • Unusual system behavior (extreme slowness, programs crashing)
  • Unexpected password reset emails
  • Alerts from your antivirus or IT provider
  • Reports from patients about suspicious communications from the practice

Section 2: Immediate Response (First 15 Minutes)

  1. Don't panic. Follow these steps in order.
  2. Disconnect affected machines from the network (unplug the Ethernet cable or disable Wi-Fi). Don't turn them off unless specifically instructed by IT.
  3. Call your IT provider: [Phone number]. If no answer, call [backup number].
  4. Document what you see: Take photos of error messages, ransom notes, or unusual screens. Note the time and which machines are affected.
  5. Do not pay any ransom without consulting IT and legal counsel.

Section 3: Communication

  • Internal: [Office manager/practice owner] notifies all staff to stop using affected systems
  • IT provider: [Name, phone, email]
  • Cyber insurance: [Carrier name, policy number, claims number]
  • Legal counsel: [Attorney name, phone] (for breach notification guidance)
  • Patients: Do not communicate about the incident externally until cleared by legal counsel

Section 4: Recovery Priorities

  1. Restore critical systems (PMS, scheduling) from backup
  2. Verify data integrity
  3. Restore secondary systems (email, imaging)
  4. Return to normal operations

Section 5: Post-Incident

  • Determine scope of the incident (what data was affected?)
  • Assess HIPAA breach notification requirements with legal counsel
  • Document lessons learned
  • Update security measures to prevent recurrence

Filling In the Blanks

The plan above has several blanks: phone numbers, names, policy numbers. Fill them in now, while you're thinking about it. Print copies and post them in the server room, at the front desk, and in the office manager's workspace. Store a digital copy somewhere accessible even if your systems are down (a personal phone, for example).

The Key Insight

The goal of an incident response plan isn't to prevent incidents. It's to turn panic into procedure. When something goes wrong, people don't rise to the occasion. They fall to the level of their preparation. Prepare now.