Health Information Management

Establish a policy that addresses security incidents

HIM-HIPAA Insider, January 2, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Section 164.308 (6) of the security rule requires your organization to establish policies and procedures that address security incidents. Tailor your plan to your facility's needs by revisiting the policy, examining past incidents, and using your imagination. Just because a particular breach scenario hasn't happened doesn't mean it won't.

Getting caught off guard means you're more likely to conduct incident response the wrong way, by "panicking and pointing fingers," says Kevin Beaver, CISSP, an Acworth, GA-based security consultant. Prevent knee-jerk incident response by implementing and testing a comprehensive policy, Beaver says. Your policy should include the following items:

  1. Overview-A summary of the policy and a list of employees responsible for incident response. These employees will vary depending on the organization but should include compliance, privacy, information security officers, and representatives from the human resources, marketing/public relations, and legal departments, says Reece Hirsch, partner at Sonnenschein Nath & Rosenthal, LLP, in San Francisco.

  2. Preparation-A description of your readiness to respond to incidents.

  3. Detection-A definition of what constitutes an incident (see below for HIPAA's definition) and the tools your organization uses to detect them.

  4. Investigation and containment-An outline of the specific steps to take and tools to use after detecting an incident.

  5. Eradication-A description of how to deal with the breach. Steps might include disconnecting the network connection from a computer that you suspect is infected, reformatting drives, changing all passwords, and scanning for vulnerabilities.

  6. Recovery-Instructions for bringing systems back online and monitoring for repeat attacks.

  7. Following up-A process for determining what the organization could have done differently. You should recommend and implement changes to administrative, technical, or physical safeguards.

  8. Calling tree-Contact information for the incident response team members.

  9. Testing -A procedure for testing and improving the policy.

  10. History-Notes on previous incidents and changes.

  11. Revisions-Past versions of the incident response plan.

  12. Diagram-A current network diagram showing all network hosts and their configuration information.

In addition, your plan needs to include consideration of laws besides HIPAA, Hirsch says. Pay special attention to state security breach notification laws (e.g., California's SB 1386) that might require you to notify the victims of an incident.

Know how HIPAA defines a security incident
Section 164.304 of the security rule defines a security incident as "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."

Editor's note: The above article was adapted from the newsletter Briefings on HIPAA. For more information or to order, call 877/727-1728 or go to

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular