What is HIPAA Incident Response Planning?

by

HIPAA incident response planning consists of conducting a risk assessment to determine what threats exist to the confidentiality, integrity, and availability of Protected Health Information, and establishing policies and procedures to respond to any HIPAA security incidents that evade detection by existing security mechanisms.

HIPAA incident response planning is a requirement of the HIPAA Security Rule inasmuch as the Security Incident Procedures standard of the Administrative Safeguards requires HIPAA covered entities and business associates to implement policies and procedures that:

“Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes”. §164.308(a)(6)

How HIPAA covered entities and business associates comply with this requirement depends on factors such as how they define a HIPAA incident, how they interpret the “flexibility of approach” standard, the outcome of a risk assessment, and existing security mechanisms, policies, and procedures.

How Should a HIPAA Incident be Defined?

The definition of a HIPAA incident appears in – and only applies to – the HIPAA Security Rule. Importantly, the definition includes unsuccessful attempts to use, disclose, modify, or destruct Protected Health Information (PHI) as well as successful attempts to access or steal PHI.

The definition also applies to any attempt – successful or otherwise – to access or interfere with system maintaining PHI, and includes “sleeping malware” that sits in the background gathering intelligence and mapping network infrastructures while waiting for an activation trigger.

Because of risks such as these, HIPAA covered entities and business associates are advised to include reviews of reports produced by Intrusion Prevention Systems in their HIPAA incident response planning to be better prepared for when sleeping malware is activated.

Reviews of reports and audit logs can also help identify trends in unsuccessful access attempts. For example, if there has been an increasing number of brute force attacks on login credentials, HIPAA regulated entities will know to strengthen password security or add secondary levels to login procedures such as biometric or multi factor authentication.

What does Flexibility of Approach Mean?

The HIPAA Security Rule is technology neutral to ensure flexibility, scalability, and adaptability for different types of HIPAA regulated entities and evolving technologies. Instead of mandating specific security technologies and security systems, the HIPAA Security Rule provides general security standards that HIPAA regulated entities must comply with.

However, the flexibility of approach standard (§164.306(b)) allows HIPAA covered entities and business associates to implement the most appropriate and reasonable security measures to meet their needs. When deciding what security measures to implement, a HIPAA covered entity or business associate has the flexibility to choose security measures according to:

  • Their size and technical capabilities.
  • Their existing infrastructure and software security capabilities.
  • The cost of additional security measures.
  • The probability and criticality of potential risks to PHI.

This means it may not be necessary for a small medical practice to invest in a sophisticated security platform with Security Orchestration, Automation, and Response (SOAR) capabilities that require expert configuration and integration. However, it is also not an excuse for larger organizations with more resources to take shortcuts with the security of PHI.

What Should a Risk Assessment Cover?          

The determining factor in what security measures to implement – and what HIPAA incident response planning should consist of – is a HIPAA risk assessment. The risk assessment should consider threats from external actors, but also those from members of workforce who may – inadvertently or otherwise – expose vulnerabilities in security. Examples include:

  • Workforce members who download unsanctioned “shadow IT” apps to “get the job done”.
  • Workforce members who use their authorized login credentials to snoop on health records.
  • Workforce members who share their login credentials with other members of the workforce.
  • Errors by workforce members when configuring services or applying patches to software.
  • The failure to secure devices on which PHI is stored, or through which PHI can be accessed.
  • Workforce susceptibility to phishing emails, drive-by downloads, and infected attachments.

When assessing insider threats, it is necessary not to overlook that business associates and subcontractors may be subject to the same threats. Therefore, in the context of HIPAA incident response planning, HIPAA covered entities and business associates also need to consider the threats from downstream partners and plan for incidents originating from these sources.

How to Identify (and Fill) Gaps in HIPAA Incident Response Planning

Most HIPAA covered entities and business associates will likely already have several security mechanisms in place, and some policies on procedures on how to respond to a HIPAA security incident. The way to identify and fill gaps in HIPAA incident response planning is to consider every reasonably anticipated threat and conduct tabletop “what if” exercises.

The objective of tabletop “what if” exercises is to establish “the probability and criticality of potential risks to PHI”, determine what security mechanisms or HIPAA training is required to reduce the risk to an appropriate and reasonable level, and compare the required security mechanisms and HIPAA training against those that are already in place.

Using this information along with the flexibility of approach standard, HIPAA covered entities can fill gaps in HIPAA incident response planning to ensure policies and procedures exist for all “suspected or known security incidents” so that designated members of the workforce are aware of what steps to take in response to an intercepted or reported HIPAA security incident.

It is important to be aware that, in addition to establishing policies and procedures to respond to HIPAA security incidents, procedures must be in place to document all actions taken in response to a security incident and the outcome of each incident. This documentation should be reviewed after each incident and periodically thereafter to continuously improve HIPAA incident response planning.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]