Updated: Feb 21, 2019
From our "Keys to Preventing a Breach 2.19" article on this page.
A CE’s ability to identify or manage a breach begins with a well thought out incident management plan. The incident management process begins with a workforce trained to recognize and report security incidents. For those not aware, a security incident is:
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
An incident management plan includes the workforce members required to investigate, document and report HIPAA-based security incidents, and includes additional resources based on the incident’s specific findings. For example, the information services team may need to isolate a workstation, server or email account without delay. The communications staff may need to begin a project to manage a breach’s news to affected patients or to the media. The HIPAA Privacy Officer should be integral to determining whether an incident is also a violation of policy and whether a breach has occurred. HIPAA-experienced legal assistance should be pre-defined and ready to help craft OCR responses. The HIPAA Security Officer should be coordinating and owning all aspects of the work involved. Lastly, the incident management plan also needs to be tested against a handful of trending scenarios including both a ransomware or phishing attack.
Security incidents “handled by administration” or by an inconsistent or ad-hoc process will
either fail, or significantly and negatively affect a CE incident response. If your security incident policy, procedures, and plan doesn’t pass a risk analysis – fix this immediately.
Link to complete whitepaper: https://docs.wixstatic.com/ugd/6be7c6_2865b729fd434ec98b8d94332267e82c.pdf