Overview:
Implement policies and procedures to address security incidents.
Action Items:
1) Obtain and review the policies and procedures related to security incidents. Elements to review may include but are not limited to: Identification of what specific event would be considered a security incident; Identification of workforce members’ role and responsibilities regarding security incidents; Management involvement regarding security incidents; Workforce members or roles to which the incident response policies and procedures are to be disseminated; Coordination of security incidents among business associates; Identifies what steps should be taken in response to a security incident; The frequency to review and update current security incident policies and procedures
2) Obtain and review documentation demonstrating that security incident policies and procedures are implemented. Evaluate and determine whether policies and procedures are appropriate for addressing security incidents and are in accordance with related policies and procedures.
Related Documents:
1) Policies and procedures related to security incidents
2) Documentation demonstrating that security incident policies and procedures are implemented.
Additional Guidance:
The purpose of this standard is to require covered entities to address security incidents within their environment. Addressing security incidents is an integral part of the overall security program. Implementing the Security Rule standards will reduce the type and amount of security incidents a covered entity encounters, but security incidents will occur. Even covered entities with detailed security policies and procedures and advanced technology will have security incidents.
The Security Rule defines a security incident as, “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Security incident procedures must address how to identify security incidents and provide that the incident be reported to the appropriate person or persons.
Whether a specific action would be considered a security incident, the specific process of documenting incidents, what information should be contained in the documentation, and what the appropriate response should be will be dependent upon an entity’s environment and the information involved. An entity should be able to rely upon the information gathered in complying with the other Security Rule standards, for example, its risk assessment and risk management procedures and the privacy standards, to determine what constitutes a security incident in the context of its business operations.
Article ID: 452
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-security-incident-procedures-164-308-a-6-i-452.html