Corporate Compliance

Recovering from a system breach

Compliance Monitor, July 22, 2005

Q. What should we do if someone outside our organization hacked into our computer system?

A. The good news is that a breach of your network or computers doesn't necessarily mean that ePHI has been compromised. You still need to minimize damage as much as possible, but don't panic and start disconnecting network cables and shutting down firewalls and computers. This can eliminate potential evidence that you can use to track down the culprit.

If you suspect malicious behavior but don't have experience about what to look for or how to respond, contact an incident-response expert/computer forensics investigator. If you're experienced and know which system(s) are affected, simply unplug (instead of formally shutting down) the device. But be careful. Although this can help preserve evidence, it's also tricky if it's a database system that can become corrupt if not shut down correctly. You also may not be able to afford to have the system offline for any extended period of time either.

If you believe criminal action has taken place, contact your local law enforcement cyber-crime investigator. Someone at your local city or county law enforcement office should handle this type of investigation. If this office can't help, go to your state bureau of investigation or your nearest FBI field office directly (for cyber crimes that cross state boundaries).

Most importantly, make sure you have documented, in advance, formal procedures to follow, and establish contact with computer security experts and law enforcement investigators in your area.

Editor's note: Kevin Beaver of Principle Logic answered this question. This is not legal advice. Consult your attorney for legal matters.