Plot Out Your Organization’s Security Incident Response Plan

Posted on 10 Aug, 2017 |comments_icon 0|By Elizabeth

Follow 7 expert-recommended steps to evaluate, document, and report breaches.

With the increase in data breach incidents—as well as the rise in HIPAA breach penalties—it’s more important than ever before for covered entities (CEs) and business associates (BAs) to develop a thorough incident response plan. Here’s what you need to do right now to protect your organization from a devastating fallout from a mishandled breach response.

Form an Incident Response Team

Payoff: “Being prepared on an organizational level can mitigate the risk of both extensive data loss and negative press,” says Diana Maier, an employment and privacy law attorney of the Law Offices of Diana Maier based in San Francisco.

“Before a breach takes place, a response team should be formed with key personnel, such as executives and privacy, legal, IT, and public relations staff,” Maier advises. “This team should inform the organization on the protocol to expect following a breach. When a breach does happen, the team should be responsible for implementing the response plan.”

Also, keep in mind that you may need to have more than one plan, depending on the kind of data involved in the incident, Maier notes.

Follow 3 Steps to Address Security Incidents

There are three phases of security incident management, which you should carry out in succession as needed, according to Jim Sheldon-Dean, principal and director of compliances services for Lewis Creek Systems LLC based in Charlotte, VT. The three major phases are:

  1. Assess the security incident. First, you need to assess the incident to determine what happened and what you need to do to avoid the problem in the future, Sheldon-Dean says. “Part of this assessment includes a determination of whether or not the incident includes information that may qualify the incident as a reportable breach under state or federal laws.”

This determination will help you to determine your next steps. If the information is not covered under breach notification laws, you would document the incident and consider it at a future periodic incident review meeting, Sheldon-Dean advises.

  1. Evaluate potentially reportable breaches. But if the information is covered under breach notification laws, then you need to review the incident, Sheldon-Dean says. In this second phase, review the incident in the context of the applicable breach notification laws to determine if the breach is reportable under those laws.
  2. Report the breach as necessary. If you determine that the incident is a reportable breach, this would trigger the reporting process, according to Sheldon-Dean. You would then need to report (and document your reporting) to the affected individuals, HHS, the press, and various state agencies as the law requires.

The basics: According to Maier, your incident response plan should vary depending on the kinds of data involved—but all plans should include the following steps after discovering a breach:

  1. Secure the area or network involved in the cause of the breach;
  2. Ensure the breach has stopped or stop it;
  3. Preserve evidence (for example, secure the metadata) and document all aspects of the incident;
  4. Notify those whose information has been breached and, as necessary, the media and any relevant authorities like the HHS Office for Civil Rights (OCR); and
  5. Work with forensics firms, law enforcement, OCR, etc. as needed.

To learn more about plotting out your organization’s security incident response plan, pick up your copy of TCI’s HIPAA Handbook 2017.



More from this author

View More

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter Signup