The SECURITY & PRIVACY NEWSLETTER is published monthly in support of the healthcare industry's efforts to work together towards compliance in security and privacy. Subscribers total over 3,000.
The Security Incident Procedures (§ 164.308(a)(6)) Standard in the HIPAA Security Rule requires organizations to implement policies and procedures to address security incidents.
Under the HIPAA Security Rule a security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (45 CFR § 164.304). Organizations need to determine how it will respond to a security incident. Further, organizations must establish a reporting mechanism and a process to coordinate responses to the security incident.
Typically, organizations will identify individuals to be a part of a formal incident response team. Areas to address include:
- Have appropriate (internal and external) persons who should be informed of a security breach been identified and a contact information list prepared?
- Has a written incident response plan been developed and provided to the incident response team?
- Does the incident response team keep adequate documentation of security incidents and their outcomes, which may include what weaknesses were exploited and how access to information was gained?
- Do records reflect new contacts and resources identified for responding to an incident?
- Does the organization consider whether current procedures were adequate for responding to a particular security incident?
For a complimentary copy of the PCI Data Security Standard quick reference card, please email technologysolutions@aha.org
Pabrai Presents Security Exec Brief, Oct 30, 2007 in Sacramento, CA
Join Ali Pabrai, CISSP, CSCS, as he delivers two executive briefs in Sacramento, California on Oct 30, 2007. The first brief is focused on “The 42 Questions HHS May Ask in a HIPAA Audit” and steps you through best practices to ensure HIPAA compliance. The second brief examines the new “ISO 27002 International Security Standard”. Learn about the scope of this new security standard and how to apply it in your organization to enhance your policies and procedures. To register or for more information, please visit www.HIPAAAcademy.Net or contact Lorna Waggoner, CHP, at 1.877.899.9974 x17.
For more information visit www.aha-solutions.org, contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net
Sample Incident Response Policy Template
<<Organization name>> will maintain procedures for identifying security incidents. Incidents will be classified as “serious” or “non-serious.” Non-serious incidents generally have the following characteristics:
-It is determined that there was no malicious intent (or the attack was not directed specifically at <<organization name>> associated with the incident and
-It is determined that no sensitive information was used, disclosed, or damaged in an unauthorized manner
Serious incidents generally have the following characteristics:
-It is determined that there was malicious intent and/or an attack was directed specifically at <<organization name>>
-It is determined that sensitive information may have been used, disclosed, or damaged in an unauthorized manner
All workforce members of <<organization name>> will report any security incident to the Security Officer that they become aware of or suspect. A security incident is any breach of security policy, or any activity that could potentially put sensitive information, especially sensitive information, at risk of unauthorized use, disclosure, or modification.
<<Organization name>> will maintain procedures for responding to serious and non-serious security incidents in order to prevent the escalation of the incident and to prevent future incidents of a similar nature.
Incidents characterized as serious by the Security Officer will be responded to immediately and reported to all upper-level management.
<<Organization name>> will attempt to mitigate any harmful effects, when possible, where a security incident affects customer information.
