Cybersecurity Incident Response

This topic brief provides:

  • A definition of incident response 
  • Reasons why incident response matters
  • Reasons why incident response is relevant to the delivery of  health care

 

Incident Response Definition

Incident Response (DHS)

Incident response is defined as the activities that address the short-term, direct effects of an incident.  Incident response may also support short-term recovery (namely, recovery of normal operations as quickly as possible).  Additionally, incident response (i.e., in response to security incidents) is required by the HPAA Security Rule.

Security Incidents (HIPAA Security Rule, 45 CFR §164.304)

A security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Note: Security incidents may be successful or unsuccessful.  Thus, not all security incidents ultimately have an adverse effect or impact on an organization.  However, much can be learned from unsuccessful security incidents, in addition to successful ones.  (An example of an unsuccessful security incident can be multiple failed login attempts for a single user account.  Another example is an authorized user attempting to get access to resources which he or she does not have authorized access to.)

An entity’s security incident response activities should begin with an initial analysis with the following steps (HHS, Office of Civil Rights): 

 

  1. Determine the scope of the incident to identify what networks, systems, or applications are affected;
  2. Determine the origination of the incident (who/what/where/when);
  3. Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment; and
  4. Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities
  5. exploited).
Resources

National Initiative for Cybersecurity Careers and Studies (NICSS) Glossary: The NICCS Portal’s cybersecurity lexicon is intended to serve the cybersecurity communities of practice and interest for both the public and private sectors. It complements other lexicons such as the NISTIR 7298 Glossary of Key Information Security Terms. Objectives for lexicon are to enable clearer communication and common understanding of cybersecurity terms, through use of plain English and annotations on the definitions. The lexicon will evolve through ongoing feedback from end users and stakeholders.

Is a Security Incident the Same for Every Organization?

Each organization must define what a security incident is and how it is handled and prioritized.  Factors to consider include the:

  • Nature and sensitivity of the information that has been potentially compromised
  • Attack vectors involved
  • Potential impact and/or harm to the organization (and/or its patients).

A covered entity may decide that a “ping” (a request-response utility used to determine whether a specific Internet Protocol (IP) address, or host, exists or is accessible) on the communications network initiated from an external source would require the following actions to comply with the standard;

  1. Minimal, if any, response 
  2. No mitigation actions since no harmful effects were caused by the incident
  3. Brief documentation of the security incident and outcome, such as, a recording of aggregate statistical information

Based on its analysis, the entity may also determine that other types of incidents, such as suspicious patterns of “pings” on the communications network initiated from an external source or a specific malicious security incident would require a more detailed response, mitigation steps, and more detailed documentation of the incident and outcome. (HHS)

Resources

HHS' HIPPA for Professionals: What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?

Security Incident Concerns (Covered Entities)

If a business associate has a security incident, does it need to report the security incident to the covered entity?

Under the HIPAA Security Rule, as set forth at 45 CFR 164.314(2)(i)(C), a business associate must report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR § 164.410 (notification by a business associate to the covered entity of a breach).

Accordingly, the HIPAA Breach Notification Rule may apply in case of a breach.

If a covered entity has a security incident, does it need to report the security incident?  

“While internal reporting of security incidents is an inherent part of security incident policies and procedures, the Security Rule generally does not require a covered entity to report incidents to outside entities.” (HHS)  

However, the covered entity should be cognizant of its contractual and other legal obligations.  In addition, if the security incident rises to the level of a breach, then the HIPAA Breach Notification Rule applies.
 

Resources

HHS' HIPPA for Professionals: Breach Notification Rule

Ransomware Concerns

What if electronic protected health information (ePHI) is encrypted as a result of a ransomware attack?  Has a breach occurred?  

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule. (HHS/Office of Civil Rights)

Resources

HHS FACT SHEET: Ransomware and HIPAA

Why Incident Response Matters

Incident response matters because an actual security incident has occurred and needs to be mitigated as soon as possible (especially if the security incident was successful).  The HIPAA Security Rule, as set forth at 45 CFR §164.308(a)(6)(ii), requires the following: mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.  Notwithstanding compliance requirements, incident response matters because patient safety is on the line.  Whether a security incident affects a medical device or an information system containing patient data, there could potentially be deleterious consequences if the patient data is inaccessible, destroyed, corrupted, unavailable, and/or modified without authorization.

For A Deep Dive on Cybersecurity
Visit the HIMSS Privacy and Security Toolkits
 

Resources

HIMSS Privacy and Security Toolkits: Privacy and security toolkits on topics including small provider cybersecurity concerns, patient indentity, risk assessment, mobile security and cloud computing security.