HIPAA Core Policy: Security Incident Response

HIPAA Core Policy: Security Incident Response

Abstract:
This policy establishes guidelines for reporting and investigating known and suspected information security incidents.
Effective Date:
8/22/2012
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:


1. PURPOSE: To establish guidelines for reporting and investigating known and suspected information security incidents.


2. PHILOSOPHY: It is our belief that data integrity, availability, and confidentiality must be guarded in order to protect information and information technology.


3. APPLICABILITY: This standard applies to all UAB/UABHS Covered Entities: University Hospital and all its facilities, The Kirklin Clinic, Callahan Eye Hospital, UAB Health Centers, Medical West, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services  Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this standard, UAB/UABHS Covered Entities shall be referred to as "UAB", "UAB Covered Entities", or “UAB/UABHS/UAHSF".



4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Network service department: A group such as Health System Information Services or UAB Network Services that is responsible for  maintaining network infrastructure.

4.1.2. Malicious code: Any program that is intended to circumvent security measures, destroy data, collect data for unauthorized third parties, or propagate data onto another system, i.e. exploits, viruses, worms, spyware.

4.1.3. Computer and network abuse: The use of resources in a manner inconsistent  with the UAB/UABHS policy. 4.1.4. Incident notification: The initial discovery of suspected security event. Note that notification occurs when logs are viewed rather than when they are initially logged.

4.1.5. Compromised system: Any entity computing or network resource that is performing actions on behalf of an unauthorized user, i.e. spyware, viruses, stolen passwords.

4.1.6. Security incident: The attempted or successful unauthorized or inappropriate access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.


5. STANDARDS:
5.1. The appropriate network service department may disable network access in order to mitigate exposure from incidents.
5.1.1. The HIPAA Information Security Office or the UAB IT Data Security Office may request that network access be disabled.
5.1.2. The HIPAA Information Security Office or the UAB IT Data Security Office shall approve restoration of network access.
5.2. Suspected incidents shall be reported to one of the following:
5.2.1. HSIS Help Desk at 934-8888
5.2.2. AskIT Help Desk at 996-5555
5.3. Network Service Department Responsibilities
5.3.1. Ensure incident documentation with the appropriate incident tracking system.
5.3.2. Enable and disable network ports in covered entities in coordination with the HIPAA Information Security Office or the UAB IT Data Security Office.
5.4. Help Desk Responsibilities
5.4.1. The help desk shall document all reported incidents.
5.4.2. The help desk shall enact the appropriate incident response procedures including contacting appropriate system administrators and data security office.
5.4.3. Compromised systems, denial of service attacks, threats, or illegal activity shall be addressed within 4 hours of receiving incident notification, i.e. disconnect from network, virus removal, data security notification. Note that this involves contacting appropriate system or network administrators.
5.4.4. Other acts of computer and network abuse shall be addressed as soon as possible after receiving the incident notification.
5.5. User Responsibilities
5.5.1. Report security incidents to the appropriate help desk.
5.5.2. Cooperate with incident response investigations and resolutions.
5.5.3. Provide documentation of actions taken to address incidents.
5.6. Management Responsibilities
5.6.1. Report security incidents to the appropriate help desk.
5.6.2. Ensure users and system administrators are trained in incident response procedures, including isolating systems and preserving evidence.
5.6.3. Cooperate with incident response investigations and resolutions.
5.6.4. Ensure users and system administrators report incidents to the appropriate help desk.
5.7. System Administrator Responsibilities
5.7.1. Ensure incident documentation with the appropriate incident tracking system.
5.7.2. Change all system passwords after any incident involving compromised systems or the system administrator’s user account after the appropriate incident response.
5.7.3. Cooperate with incident response investigations and resolutions.
5.7.4. Provide documentation of actions taken to address incidents.
5.7.5. Monitor system logs at least once every business day to detect computer and network abuse.
5.7.6. Ensure that systems are secure prior to reconnecting to the network (i.e. cleaning viruses, restoration from backup, reinstallation, application of security patches).
5.8. HIPAA Information Security Office Responsibilities
5.8.1. Maintain incident response procedures in coordination with other data security offices.
5.8.2. Conduct investigations on security incidents in coordination with appropriate system administrators.
5.8.3. Create and maintain an incident tracking system that includes incident details and outcomes and stores incident logs for a period of no less than six years.
5.8.4. Coordinate incident response activities across organizational boundaries.

5.8.5. Reassess preventative and detective controls for systems following an incident in coordination with the appropriate system administrators and management.

5.9. UAB/UABHS employees who do not follow the above standards may be subject to disciplinary action up to and including dismissal.

5.10. Vendors or contractors who do not follow the above standards may be subject to breach  of contract penalties.


5.11. CONTACTS:  For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.11.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/securitycontacts.htm)

5.11.2. the HSIS Help Desk at 934-8888


5.11.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu


5.11.4. UAB/UABHS HIPAA Security Office at 975-0072


5.11.5. UAB IT Data Security Office at 975-0842


6. REFERENCES: None.


7. SCOPE: This standard applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain PHI.


8. ATTACHMENTS: None


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.