• Information security incidents
  • Metadata
  • Use automated systems to detect, log, and alert on suspicious activity
  • Immediately respond upon detection
  • Notify the appropriate parties when any breach of PII or PHI occurs
  • Analyse and document
  • Require notifications from suppliers
  • Report weaknesses
  • Enforcement
  • References

Information security incidents

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2019-10-12
  • reviewed: 2018-06-20

Use automated systems to detect, log, and alert on suspicious activity

• Intrusion Detection System (IDS)
  • Install and run IDS on all systems.
  • Automatically alert staff when highly suspicious events are detected.
• Security Information and Event Management (SIEM)
  • Operate a SIEM covering all systems.
  • Centrally log information-security related events.
  • Provide a facility for staff to search and analyze logs.
• Incident Response (IR)
  • Use an Incident Response system to automatically alert and manage the staff response to incidents.

Immediately respond upon detection

• Notify management and employees
  • Inform the CPSO and other management of the incident.
  • Notify additional employees if needed to assist with incident response.
• Classify the incident
  • Identify and classify the severity of the incident.
  • Determine the actual risk to PHI and to the subject(s) of the PHI.
• Mitigate harmful effects
  • Disable systems (if appropriate) to prevent the incident from continuing.
  • Repair, patch, or otherwise correct the condition or error that created the incident.
  • Retrieve or limit the dissemination of PHI, if possible.
• Collect evidence
  • Preserve information about the incident which can serve as evidence.

    Code	Section	Title	Text
    ISO	A.16.1.1	Responsibilities and procedures	Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.
    ISO	A.16.1.2	Reporting information security events	Information security events shall be reported through appropriate management channels as quickly as possible.
    ISO	A.16.1.4	Assessment of and decision on information security events	Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.
    ISO	A.16.1.5	Response to information security incidents	Information security incidents shall be responded to in accordance with the documented procedures.
    ISO	A.16.1.7	Collection of evidence	The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Notify the appropriate parties when any breach of PII or PHI occurs

• A breach is treated as discovered by us
  • the first day on which such breach is known or should reasonably have been known
  • to any employee or agent of ours, other than the person who committed the breach.
• Notify the appropriate legal authority in a timely manner
  • within 72 hours
• If required by a legal authority, delay further notification
  • in accordance with the law
• Notify affected customers and other appropriate parties in a timely manner
  • without unreasonable or undue delay
  • no later than 60 calendar days after discovery
• Include in the notification
  • a brief description of what happened
  • a description of the types of data involved
  • a brief description of the actions taken in response to the breach
  • contact procedures for the customer to ask questions and obtain further information

    Code	Section	Title	Text
    ISO	A.6.1.3	Contact with authorities	Appropriate contacts with relevant authorities shall be maintained.
    GDPR	Article 33	Notification of a personal data breach to the supervisory authority	1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. The notification referred to in paragraph 1 shall at least: (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; © describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
    HIPAA	164.41	Notification by a business associate	(a) Standard - (1) General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. (2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency). (b) Implementation specifications: Timeliness of notification. Except as provided in § 164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. © Implementation specifications: Content of notification. (1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. (2) A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under § 164.404© at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available.
    HIPAA	164.412	Law enforcement delay	If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall: (a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or (b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.

  Analyse and document

  • Research and analyse the incident to understand what occurred.
  • Improve system security if appropriate based on the results of the analysis.
  • Create an internal report and share it with the appropriate members of the workforce in order to expand our knowledge of security incidents and prevention.
  • Create a customer report and share it with the customer.
  • Update training and awareness programs for employees if appropriate.

    Code	Section	Title	Text
    ISO	A.16.1.6	Learning from information security incidents	Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.

  Require notifications from suppliers

  • Require our suppliers to immediately report all breaches, losses, or compromises of PHI, whether secured or unsecured.
  • Include breach notification requirements in supplier contracts.

  Report weaknesses

  • Report security weaknesses that are observed or suspected.

    Code	Section	Title	Text
    ISO	A.16.1.3	Reporting information security weaknesses	Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services.

  Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

  References

  Code	Section	Title	Text
  ISO	A.16.1	Management of information security incidents and improvements	To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
  CHI	SR83	Reporting Security Incidents Involving the EHRi	The EHRi must – and all PoS systems connected to the EHRi should – trigger a notification to the accountable person specified in Security Requirement 3 – Information Security Management, Co-ordination and Allocation of Responsibilities of every detected pattern of system misuse (see Security Requirement 45 – Detecting Patterns of Misuse).
  CHI	SR84	Responding to Security Incidents Involving the EHRi	Organizations hosting components of the EHRi must establish incident management responsibilities and procedures to ensure a quick, effective and orderly response to security incidents and to collect and preserve incident-related data such as audit trails, logs and other evidence.
  HIPAA	164.308(a)(6)	Security incident procedures	(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents. (ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
  HIPAA	164.414(b)	Burden of proof	In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at § 164.402.

November 13, 2019

Powered by