• Information security incidents
  • Metadata
  • Use automated systems to detect, log, and alert on suspicious activity
  • Immediately respond upon detection
  • Notify the appropriate parties when any breach of PII or PHI occurs
  • Analyse and document
  • Require notifications from suppliers
  • Report weaknesses
  • Enforcement
  • References

Information security incidents

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Use automated systems to detect, log, and alert on suspicious activity

• Intrusion Detection System (IDS)
  • Install and run IDS on all systems.
  • Automatically alert staff when highly suspicious events are detected.
• Security Information and Event Management (SIEM)
  • Operate a SIEM covering all systems.
  • Centrally log information-security related events.
  • Provide a facility for staff to search and analyze logs.
• Incident Response (IR)
  • Use an Incident Response system to automatically alert and manage the staff response to incidents.

Immediately respond upon detection

• Notify management and employees
  • Inform the CPSO and other management of the incident.
  • Notify additional employees if needed to assist with incident response.
• Classify the incident
  • Identify and classify the severity of the incident.
  • Determine the actual risk to PHI and to the subject(s) of the PHI.
• Mitigate harmful effects
  • Disable systems (if appropriate) to prevent the incident from continuing.
  • Repair, patch, or otherwise correct the condition or error that created the incident.
  • Retrieve or limit the dissemination of PHI, if possible.
• Collect evidence
  • Preserve information about the incident which can serve as evidence.

Code	Section	Title
ISO	A.16.1.1	Responsibilities and procedures
ISO	A.16.1.2	Reporting information security events
ISO	A.16.1.4	Assessment of and decision on information security events
ISO	A.16.1.5	Response to information security incidents
ISO	A.16.1.7	Collection of evidence
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC7.2	The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	P6.5	The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.
SOC2	P6.6	The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.5	The entity identifies, develops, and implements activities to recover from identified security incidents.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.5	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Notify the appropriate parties when any breach of PII or PHI occurs

• A breach is treated as discovered by us
  • the first day on which such breach is known or should reasonably have been known
  • to any employee or agent of ours, other than the person who committed the breach.
• Notify customers and the appropriate legal authorities in a timely manner
  • within 72 hours
• Delay notification to customers under certain circumstances
  • if required by a legal authority
  • if notifying will increase the risk to other customers
• Include details that are available in the notification
  • a brief description of what happened
  • a description of the types of data involved
  • a brief description of the actions taken in response to the breach
  • contact procedures for the customer to ask questions and obtain further information

Code	Section	Title
ISO	A.6.1.3	Contact with authorities
HIPAA	164.41	Notification by a business associate
HIPAA	164.412	Law enforcement delay
GDPR	Article 33	Notification of a personal data breach to the supervisory authority
SOC2	CC1.3	COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Analyse and document

• Research and analyse the incident to understand what occurred.
• Improve system security if appropriate based on the results of the analysis.
  • If needed, create reports
    • to share internally, to improve our information security
    • to share with the customer, to inform them of what occurred
• Update training and awareness programs for employees if appropriate.

Code	Section	Title
ISO	A.16.1.6	Learning from information security incidents
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC7.5	The entity identifies, develops, and implements activities to recover from identified security incidents.

Require notifications from suppliers

• Require our suppliers to report all breaches, losses, or compromises of PHI, whether secured or unsecured.
• Require notification promptly, and at least within the legally required timeline.
• Include breach notification requirements in supplier contracts.

Report weaknesses

• Report security weaknesses that are observed or suspected.

Code	Section	Title
ISO	A.16.1.3	Reporting information security weaknesses
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC4.2	COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC2	CC7.2	The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.16.1	Management of information security incidents and improvements
CHI	SR83	Reporting Security Incidents Involving the EHRi
CHI	SR84	Responding to Security Incidents Involving the EHRi
HIPAA	164.308(a)(6)(i)	Standard: Security incident procedures
HIPAA	164.308(a)(6)(ii)	Response and reporting (Required)

August 30, 2022

Powered by