What is a HIPAA Security Incident?

What is a HIPAA Security Incident?

/ Categories Cyber Security Threats / by

A HIPAA security incident is defined by the HIPAA Security Rule as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”  It is important to emphasize that attempted unsuccessful incidents are included in the definition for a reason.

The reason it is important for HIPAA covered entities and business associates to understand what is a HIPAA security incident is that the Administrative Safeguards of the HIPAA Security Rule require HIPAA covered entities and business associates to implement security incident policies and procedures that address HIPAA security incidents (§164.308(a)(6)).

The policies and procedures must “identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.”  To help HIPAA covered entities and business associates comply with this standard, it can be beneficial to analyze the requirements step by step.

Attempted vs Suspected vs Known Security Incidents

There are generally three types of HIPAA security incident. Attempted security incidents are unsuccessful attempts to (for example) brute force a password, find a system vulnerability via a port scan, or deliver malware via a spam email that is blocked by an email filter. These often go unnoticed except by Identity Access Management (IAM) software and Intrusion Prevention Systems.

The second type of HIPAA security incident – “suspected” – are successful access attempts that may be malicious, but which cannot be confirmed without further analysis. Examples of suspected HIPAA security incidents include rogue software behavior, benign automated scans (for example, by search engine bots), or delivered emails that have the characteristics of a phishing email.

Known security incidents are those in which there is no doubt an unauthorized event has occurred due to a loss, impermissible disclosure, or compromise of Protected Health Information (including ransomware attacks and insider thefts), system misbehaviors, or the delivery of BEC emails purporting to be from a member of the IT team or a senior manager.

Mitigate the Harmful Effects of Security Incidents

Although there are no harmful effects of unsuccessful security incidents, covered entities and business associates should monitor the outputs of IAM software and Intrusion Prevention Systems to identify trends in (for example) brute force password attacks and port scans. This proactive approach to security can mitigate potentially harmful effects of security incidents before the incidents occur.

With regards to suspected security incidents, it is important workforce members receive adequate HIPAA training so they can recognize and report suspicions events. Procedures must exist for triaging reports of suspected HIPAA incidents and prioritizing analyses of the events so they can be responded to according to their potential harmful effects. There also needs to be a process in place to track the progress of each report to ensure no report is overlooked.

When a known HIPAA security incident is detected, it is necessary to have similar reporting, triaging, analysis, and tracking procedures in place. It is also necessary to have prepared a playbook on how to respond to each type of reasonably anticipated HIPAA security incident (as per the HIPAA Security Rule’s General Requirements §164.306(a)) in order to contain the harmful effects of the incident, resolve the incident, and restore data and systems.

Document Each HIPAA Security Incident and Its Outcome

Regardless of whether a HIPAA security incident is attempted, suspected, or known, every action taken to monitor, analyze, or respond to the incident must be documented. The documentation – and the policies and procedures implemented to comply with §164.308(a)(6) – must be reviewed whenever there is a technology, organization, or regulatory change, and periodically thereafter to evaluate their continued effectiveness.

When a known security incident results in a HIPAA data breach, it is necessary to document when notifications are submitted to affected individuals, HHS’ Office for Civil Rights, and – when required – the media. If law enforcement agencies are notified of the HIPAA data breach, the rationale for notifying them (i.e., ransomware attack, violation of the Social Security Act §1177, etc.) and any outcomes from their investigations must also be documented.

HIPAA covered entities and business associates that require further advice about what is a HIPAA security incident, or who require information about complying with the requirements of the HIPAA Security Rule, are advised to seek independent compliance advice. Those who require assistance with managing the documentation, policies, and procedures should speak with a HIPAA policy management software provider.  

Image credit: Mdisk, AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.
Twitter
LinkedIn

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions