• E-mail
• Print
• RSS

Establish a policy that addresses security incidents

HIM Connection, January 2, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Section 164.308 (6) of the security rule requires your organization to establish policies and procedures that address security incidents. Tailor your plan to your facility's needs by revisiting the policy, examining past incidents, and using your imagination. Just because a particular breach scenario hasn't happened doesn't mean it won't.

Getting caught off guard means you're more likely to conduct incident response the wrong way, by "panicking and pointing fingers," says Kevin Beaver, CISSP, an Acworth, GA-based security consultant. Prevent knee-jerk incident response by implementing and testing a comprehensive policy, Beaver says. Your policy should include the following items:

1. Overview-A summary of the policy and a list of employees responsible for incident response. These employees will vary depending on the organization but should include compliance, privacy, information security officers, and representatives from the human resources, marketing/public relations, and legal departments, says Reece Hirsch, partner at Sonnenschein Nath & Rosenthal, LLP, in San Francisco.

2. Preparation-A description of your readiness to respond to incidents.

3. Detection-A definition of what constitutes an incident (see below for HIPAA's definition) and the tools your organization uses to detect them.

4. Investigation and containment-An outline of the specific steps to take and tools to use after detecting an incident.

5. Eradication-A description of how to deal with the breach. Steps might include disconnecting the network connection from a computer that you suspect is infected, reformatting drives, changing all passwords, and scanning for vulnerabilities.

6. Recovery-Instructions for bringing systems back online and monitoring for repeat attacks.

7. Following up-A process for determining what the organization could have done differently. You should recommend and implement changes to administrative, technical, or physical safeguards.

8. Calling tree-Contact information for the incident response team members.

9. Testing -A procedure for testing and improving the policy.

10. History-Notes on previous incidents and changes.

11. Revisions-Past versions of the incident response plan.

12. Diagram-A current network diagram showing all network hosts and their configuration information.

In addition, your plan needs to include consideration of laws besides HIPAA, Hirsch says. Pay special attention to state security breach notification laws (e.g., California's SB 1386) that might require you to notify the victims of an incident.

Know how HIPAA defines a security incident
Section 164.304 of the security rule defines a security incident as "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."

Editor's note: The above article was adapted from the newsletter Briefings on HIPAA. For more information or to order, call 877/727-1728 or go to www.hcmarketplace.com/prod-162.html.

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive