Security Incident Response Policy

5. Procedures

1. INCIDENT RESPONSE TEAM

1.1 The IRT shall consist of: Security Officer (team lead), Privacy Officer, IT Manager/Vendor, Practice Administrator, and Legal Counsel (external, as needed).

1.2 The Security Officer shall serve as the primary point of contact for all security incidents and shall coordinate the IRT's response.

2. IDENTIFICATION AND REPORTING

2.1 All workforce members shall immediately report any suspected security incident to the Security Officer via [REPORTING METHOD — e.g., phone, email, incident report form].

2.2 Examples of reportable incidents include: unauthorized access to patient records, lost or stolen devices containing ePHI, phishing emails or social engineering attempts, malware or ransomware infections, unauthorized changes to system configurations, physical break-in or unauthorized facility access, accidental disclosure of ePHI (e.g., misdirected fax or email), and vendor or business associate security incidents affecting [PRACTICE NAME]'s data.

2.3 The Security Officer shall log all reported incidents in the Security Incident Log within 24 hours of the report.

3. INITIAL ASSESSMENT AND TRIAGE

3.1 Within [NUMBER] hours of receiving a report, the Security Officer shall conduct an initial assessment to determine: whether the report constitutes a security incident, the systems and data potentially affected, the severity of the incident (Critical, High, Medium, Low), and the immediate actions needed.

3.2 Severity Levels: - Critical: Active ongoing unauthorized access, ransomware encryption in progress, or large-scale data exfiltration. Requires immediate response. - High: Confirmed unauthorized access to ePHI, stolen device with unencrypted ePHI, or malware detected on ePHI systems. Requires response within 4 hours. - Medium: Suspicious activity that may indicate unauthorized access, failed login patterns, or minor policy violations. Requires response within 24 hours. - Low: Informational events or near-misses with no evidence of actual unauthorized access. Requires documentation and review.

4. CONTAINMENT

4.1 Based on the severity assessment, take immediate containment actions, which may include: isolating affected systems from the network, disabling compromised user accounts, blocking suspicious IP addresses, changing passwords for affected accounts, preserving forensic evidence (do not wipe or rebuild systems until evidence is preserved), and contacting law enforcement if criminal activity is suspected.

5. INVESTIGATION AND ERADICATION

5.1 The IRT shall investigate the incident to determine: the root cause, the full scope of data and systems affected, the timeline of the incident, whether ePHI was actually accessed or acquired, and the number of individuals potentially affected.

5.2 Eradicate the threat by: removing malware, patching vulnerabilities, closing unauthorized access points, and validating that the threat has been eliminated.

6. RECOVERY

6.1 Restore affected systems to normal operations using verified clean backups where necessary.

6.2 Confirm that all vulnerabilities exploited in the incident have been remediated before returning systems to production.

6.3 Monitor recovered systems closely for a defined period to confirm the threat does not recur.

7. BREACH DETERMINATION

7.1 Following investigation, the Privacy Officer and Security Officer shall determine whether the incident constitutes a breach of unsecured PHI under 45 CFR § 164.402.

7.2 If a breach is confirmed, activate the Breach Notification Policy for notification to affected individuals, HHS, and media (if applicable).

8. POST-INCIDENT REVIEW

8.1 Within [NUMBER] days of incident closure, the IRT shall conduct a post-incident review to document: what happened, how it was detected, how the response was handled, what worked well and what needs improvement, and recommended changes to policies, procedures, or technical controls.

8.2 Implement approved corrective actions and update the Risk Register as needed.

9. DOCUMENTATION

9.1 All incidents shall be documented in the Security Incident Log with: date and time of discovery, reporter name, description of the incident, systems and data affected, response actions taken, outcome and resolution, and date closed.

9.2 Incident documentation shall be retained for a minimum of six (6) years.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Leads the IRT. Receives and logs all incident reports. Coordinates containment, investigation, and recovery. Conducts post-incident reviews. Maintains the Security Incident Log.

Privacy Officer ([PRIVACY OFFICER NAME]): Participates in breach determination. Activates the Breach Notification Policy when applicable. Assists with post-incident review.

IT Manager/Vendor ([IT CONTACT NAME]): Performs technical containment and eradication. Preserves forensic evidence. Restores systems from backup. Monitors recovered systems.

Practice Administrator ([ADMINISTRATOR NAME]): Approves resource allocation for incident response. Communicates with patients and media if required. Engages legal counsel.

All Workforce Members: Report suspected incidents immediately. Cooperate with investigations. Do not attempt to investigate or remediate incidents independently.

7. Review Schedule

This policy shall be reviewed at least annually and after every significant security incident. The IRT shall conduct at least one tabletop exercise annually to test the incident response procedures and identify areas for improvement.

8. Regulatory References

45 CFR § 164.308(a)(6)(i) — Security incident procedures (Required) 45 CFR § 164.308(a)(6)(ii) — Response and reporting (Required) 45 CFR § 164.304 — Definition of security incident 45 CFR § 164.402 — Definition of breach 45 CFR §§ 164.400–414 — Breach notification requirements 45 CFR § 164.316(b)(2)(i) — Documentation retention (6 years; Security Rule) NIST SP 800-61 Rev. 3 (April 2025) — Incident Response Recommendations and Considerations for Cybersecurity Risk Management