Plot Out Your Organization’s Security Incident Response Plan

Posted on 10 Aug, 2017 |comments_icon 3|By Elizabeth

Follow 7 expert-recommended steps to evaluate, document, and report breaches.

With the increase in data breach incidents—as well as the rise in HIPAA breach penalties—it’s more important than ever before for covered entities (CEs) and business associates (BAs) to develop a thorough incident response plan. Here’s what you need to do right now to protect your organization from a devastating fallout from a mishandled breach response.

Form an Incident Response Team

Payoff: “Being prepared on an organizational level can mitigate the risk of both extensive data loss and negative press,” says Diana Maier, an employment and privacy law attorney of the Law Offices of Diana Maier based in San Francisco.

“Before a breach takes place, a response team should be formed with key personnel, such as executives and privacy, legal, IT, and public relations staff,” Maier advises. “This team should inform the organization on the protocol to expect following a breach. When a breach does happen, the team should be responsible for implementing the response plan.”

Also, keep in mind that you may need to have more than one plan, depending on the kind of data involved in the incident, Maier notes.

Follow 3 Steps to Address Security Incidents

There are three phases of security incident management, which you should carry out in succession as needed, according to Jim Sheldon-Dean, principal and director of compliances services for Lewis Creek Systems LLC based in Charlotte, VT. The three major phases are:

  1. Assess the security incident. First, you need to assess the incident to determine what happened and what you need to do to avoid the problem in the future, Sheldon-Dean says. “Part of this assessment includes a determination of whether or not the incident includes information that may qualify the incident as a reportable breach under state or federal laws.”

This determination will help you to determine your next steps. If the information is not covered under breach notification laws, you would document the incident and consider it at a future periodic incident review meeting, Sheldon-Dean advises.

  1. Evaluate potentially reportable breaches. But if the information is covered under breach notification laws, then you need to review the incident, Sheldon-Dean says. In this second phase, review the incident in the context of the applicable breach notification laws to determine if the breach is reportable under those laws.
  2. Report the breach as necessary. If you determine that the incident is a reportable breach, this would trigger the reporting process, according to Sheldon-Dean. You would then need to report (and document your reporting) to the affected individuals, HHS, the press, and various state agencies as the law requires.

The basics: According to Maier, your incident response plan should vary depending on the kinds of data involved—but all plans should include the following steps after discovering a breach:

  1. Secure the area or network involved in the cause of the breach;
  2. Ensure the breach has stopped or stop it;
  3. Preserve evidence (for example, secure the metadata) and document all aspects of the incident;
  4. Notify those whose information has been breached and, as necessary, the media and any relevant authorities like the HHS Office for Civil Rights (OCR); and
  5. Work with forensics firms, law enforcement, OCR, etc. as needed.

To learn more about plotting out your organization’s security incident response plan, pick up your copy of TCI’s HIPAA Handbook 2017.



Elizabeth works on an array of projects at TCI, researching and writing about modern reimbursement challenges. Since joining TCI in 2017, she has also covered the nuts and bolts of cybersecurity, compliance with federal laws, and how to tap into the advantages of telehealth services.

More from this author

View More

3 thoughts on “Plot Out Your Organization’s Security Incident Response Plan

  1. I needed to put you this little bit of observation to be able to thank you very much yet again for these lovely opinions you’ve discussed in this article. It has been simply extremely generous with you to offer publicly just what most people could have distributed for an e book to end up making some dough for their own end, specifically seeing that you might well have tried it in the event you wanted. Those concepts additionally served like a great way to be aware that other individuals have the same passion just like my personal own to learn great deal more with regard to this matter. I’m certain there are a lot more pleasurable times up front for many who look over your blog.

  2. I want to get across my appreciation for your kindness in support of visitors who really need help with the area. Your personal commitment to getting the message all around turned out to be astonishingly informative and has all the time permitted others like me to achieve their targets. Your own important information entails a whole lot a person like me and substantially more to my office colleagues. With thanks; from everyone of us.

  3. I simply had to thank you very much yet again. I am not sure the things that I might have implemented in the absence of the type of creative ideas revealed by you regarding my question. Previously it was the frightful matter for me personally, nevertheless taking note of this specialized fashion you treated it took me to cry for contentment. Extremely thankful for the advice and thus sincerely hope you really know what a great job you happen to be doing teaching most people through your website. I am sure you’ve never got to know all of us.

Leave a Reply

Newsletter Signup