This topic brief provides:
- A definition of incident response
- Reasons why incident response matters
- Reasons why incident response is relevant to the delivery of health care
This topic brief provides:
Incident Response (DHS)
Incident response is defined as the activities that address the short-term, direct effects of an incident. Incident response may also support short-term recovery (namely, recovery of normal operations as quickly as possible). Additionally, incident response (i.e., in response to security incidents) is required by the HPAA Security Rule.
Security Incidents (HIPAA Security Rule, 45 CFR §164.304)
A security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Note: Security incidents may be successful or unsuccessful. Thus, not all security incidents ultimately have an adverse effect or impact on an organization. However, much can be learned from unsuccessful security incidents, in addition to successful ones. (An example of an unsuccessful security incident can be multiple failed login attempts for a single user account. Another example is an authorized user attempting to get access to resources which he or she does not have authorized access to.)
An entity’s security incident response activities should begin with an initial analysis with the following steps (HHS, Office of Civil Rights):
National Initiative for Cybersecurity Careers and Studies (NICSS) Glossary: The NICCS Portal’s cybersecurity lexicon is intended to serve the cybersecurity communities of practice and interest for both the public and private sectors. It complements other lexicons such as the NISTIR 7298 Glossary of Key Information Security Terms. Objectives for lexicon are to enable clearer communication and common understanding of cybersecurity terms, through use of plain English and annotations on the definitions. The lexicon will evolve through ongoing feedback from end users and stakeholders.
Each organization must define what a security incident is and how it is handled and prioritized. Factors to consider include the:
A covered entity may decide that a “ping” (a request-response utility used to determine whether a specific Internet Protocol (IP) address, or host, exists or is accessible) on the communications network initiated from an external source would require the following actions to comply with the standard;
Based on its analysis, the entity may also determine that other types of incidents, such as suspicious patterns of “pings” on the communications network initiated from an external source or a specific malicious security incident would require a more detailed response, mitigation steps, and more detailed documentation of the incident and outcome. (HHS)
HHS' HIPPA for Professionals: What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?
If a business associate has a security incident, does it need to report the security incident to the covered entity?
Under the HIPAA Security Rule, as set forth at 45 CFR 164.314(2)(i)(C), a business associate must report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR § 164.410 (notification by a business associate to the covered entity of a breach).
Accordingly, the HIPAA Breach Notification Rule may apply in case of a breach.
If a covered entity has a security incident, does it need to report the security incident?
“While internal reporting of security incidents is an inherent part of security incident policies and procedures, the Security Rule generally does not require a covered entity to report incidents to outside entities.” (HHS)
However, the covered entity should be cognizant of its contractual and other legal obligations. In addition, if the security incident rises to the level of a breach, then the HIPAA Breach Notification Rule applies.
HHS' HIPPA for Professionals: Breach Notification Rule
What if electronic protected health information (ePHI) is encrypted as a result of a ransomware attack? Has a breach occurred?
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule. (HHS/Office of Civil Rights)
HHS FACT SHEET: Ransomware and HIPAA
Incident response matters because an actual security incident has occurred and needs to be mitigated as soon as possible (especially if the security incident was successful). The HIPAA Security Rule, as set forth at 45 CFR §164.308(a)(6)(ii), requires the following: mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. Notwithstanding compliance requirements, incident response matters because patient safety is on the line. Whether a security incident affects a medical device or an information system containing patient data, there could potentially be deleterious consequences if the patient data is inaccessible, destroyed, corrupted, unavailable, and/or modified without authorization.
For A Deep Dive on Cybersecurity
Visit the HIMSS Privacy and Security Toolkits
HIMSS Privacy and Security Toolkits: Privacy and security toolkits on topics including small provider cybersecurity concerns, patient indentity, risk assessment, mobile security and cloud computing security.