11. Incident Response Policy#
WayToHealth implements an information security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible.
The incident response process addresses:
- Continuous monitoring of threats through intrusion detection systems (IDS) and other monitoring applications;
- Establishment of an information security incident response team;
- Establishment of procedures to respond to media inquiries;
- Establishment of clear procedures for identifying, responding, assessing, analyzing, and follow-up of information security incidents;
- Workforce training, education, and awareness on information security incidents and required responses; and
- Facilitation of clear communication of information security incidents with internal, as well as external, stakeholders
Note: These policies are inherited from Penn Medicine's Incident Response policy.
11.1 Applicable Standards#
11.1.1 Applicable Standards from the HITRUST Common Security Framework#
- 11.a - Reporting Information Security Events
- 11.c - Responsibilities and Procedures
11.1.2 Applicable Standards from the HIPAA Security Rule#
- 164.308(a)(5)(i) - Security Awareness and Training
- 164.308(a)(6) - Security Incident Procedures
11.2 Incident Management Policies#
The WayToHealth incident response process follows the processes defined by Penn Medicine. This is based on the policy updated as of 5/31/2016 (ISD-SEC-10). These are defined as follows.
11.2.1 Summary#
Penn Medicine must ensure the effective response to and management of security events that may compromise the confidentiality, integrity or availability of confidential data or other Penn Medicine assets. This document, the Security Incident Response Policy (or “Policy”) outlines the governance and procedures to define, address, and report on incident response activities.
11.2.1.1 Purpose#
The purpose of this Policy is to direct individuals and offices in responding to security incidents in a structured, efficient, and compliant manner.
11.2.1.2 Scope#
This Policy applies to all members of the workforce of Penn Medicine and all Security Incidents, as defined below. This Policy is owned by and resides with the Penn Medicine Corporate Information Services (IS). This Policy also involves significant participation by the Offices of Information Security, Privacy, General Counsel, and other areas of Penn Medicine as needed. This Policy should be reviewed and updated periodically, informed by experience addressing data security incidents and tabletop exercises.
11.2.1.3 Implementation#
All Penn Medicine workforce members, as defined above, are responsible for implementation of this policy.
11.2.1.4 Authority and Responsibility#
IS is responsible for the operation of Penn Medicine's data networks as well as the establishment of information security policies, guidelines, and standards. The Office of Audit, Compliance and Privacy, including the PMPO, has authority to develop and oversee policies and procedures regarding the privacy of personal information. These offices therefore have the authority and responsibility to specify security incident response requirements to protect those networks as well as Penn Medicine data contained on those networks.
11.2.2 Procedure#
-
- Reporting Security Incidents
- 1.1. Workforce members who suspect a security incident has taken place are required by policy to notify the Office of Information Security (“OIS”). See UPHS Information Security Incident Reporting Policy.
- 1.2. Upon such notification, OIS is responsible for:
- 1.2.1. Establishing an Incident Response Team when, based on the level of risk, that a Team-based approach would be warranted to address such risk. See Section 2.
- 1.2.2. Following Incident Handling Procedures as appropriate. See Section 3.
- 1.3. OIS must determine whether Protected Health Information (PHI) or other Confidential Data is or was vulnerable or exposed.
- 1.4. If OIS has been determined that PHI or other Confidential Data was vulnerable or exposed in connection with the Security Incident, OIS must notify the Penn Medicine Privacy Office (PMPO). The PMPO is responsible for ensuring that Breach Analysis and Response Procedures are followed. See Section 4 below.
- 1.5. All Data Security Incidents must:
- a. Generate the creation of an Immediate Response Team on a per incident basis when, based on the level of risk, a Team-based approach would be warranted to address such risk. See Section 2 below.
- b. Follow appropriate Breach Analysis and Response procedures. See Section 4 below. OIS is responsible for logging, investigating, and reporting on data security incidents.
-
- Immediate Response Team
- 2.1. Purpose. The purpose of each Immediate Response Team is to supplement Penn Medicine's information security infrastructure and minimize the threat of damage resulting from Security Incidents.
- 2.2. Per Incident Basis. An Immediate Response Team shall be created for Security Incidents, when OIS or OACP determines such a Team is appropriate to address the incident.
- 2.3. Membership. Membership on the Immediate Response Team shall be as designated by OIS. In most cases, members shall include a representative from OIS Information Security and from the affected area’s technical and management staff. In the case of a Data Security Incident, such Team shall also include a member of the PMPO.
- 2.4. Responsibilities. Responsibilities of the Immediate Response Team are to assess the incident and follow incident handling procedures, appropriate to the incident as determined by OIS. In the case of Data Security Incidents, responsibilities also include assisting in the PMPO’s Breach Analysis and Response.
- 2.5. Confidentiality. Immediate Response Team members will share information about security incidents beyond the Immediate Response Team only on a need-to-know basis, and only after consultation with all other team members.
-
- Incident Handling: The following is a list of response priorities that should be reviewed and followed as recommended by OIS. The most important items are listed first.
- 3.1. Safety and Human Issues. If an information system involved in a security incident affects human life and safety, responding to any incident involving any life-critical or safety-related system is the most important priority.
- 3.2. Address Urgent Concerns. There may be urgent concerns about the availability or integrity of critical systems or data that must be addressed promptly.
- 3.3. Establish Scope of Incident. The Immediate Response Team shall promptly work to establish the scope of the incident and to identify the extent of systems and data affected. This includes determining whose hands the data may have fallen into, and the length and extent of the exposure.
- 3.4. Determine the scope of the data. This includes an analysis of the amount and type of data that was exposed.
- 3.5. Containment. Once life-critical and safety issues have been resolved, the Immediate Response Team shall identify and implement actions to be taken to reduce the potential for the spread of an incident or its consequences across additional systems and networks. Such steps may include requiring that the system be disconnected from the network.
- 3.6. Develop Plan for Preservation of Evidence. The Immediate Response Team shall develop a plan promptly upon learning about an incident for identifying and implementing appropriate steps to preserve evidence, consistent with the needs to restore availability. Preservation plans may include preserving relevant logs and screen captures. The affected system may not be rebuilt until the Immediate Response Team determines that appropriate evidence has been preserved. Preservation will be addressed as quickly as possible to restore availability that is critical to maintain operations.
- 3.7. Investigate the Incident. The Immediate Response Team shall investigate the causes of the incident and future preventative actions. During the investigation phase, members of the incident response team will attempt to determine exactly what happened during the incident, especially the vulnerability that made the incident possible. In short, investigators will attempt to answer the following questions: Who? What? Where? When? How?
- 3.8. Incident-Specific Risk Mitigation. The Immediate Response Team shall identify and recommend strategies to mitigate risk of harm arising from the incident, including but not limited to reducing, segregating, or better protecting personal, proprietary, or mission critical data.
- 3.9. Restore Availability. Once the above steps have been taken, and upon authorization by the Immediate Response Team, the availability of affected devices or networks may be restored.
- 3.10. Penn Medicine-Wide Learning. The Immediate Response Team shall develop and arrange for implementation of a communications plan to spread learning from the security incident throughout Penn Medicine to individuals best able to reduce risk of recurrence of such incident. This Penn Medicine-wide learning must utilize solely de-identified PHI in order to avoid a possible breach.
-
Breach Analysis and Response 4.1 When PHI has been vulnerable or exposed, the PMPO shall, based on information gathered by the Incident Response Team, conduct an analysis of whether a “breach” as defined by HIPAA has occurred. 4.2 If a breach has occurred, the PMPO – in consultation with Entity Privacy Officers, the Office of General Counsel, and Human Resources as appropriate – will develop and implement a plan to notify the patient(s) affected within 60 days, consistent with requirements under HIPAA. 4.3 If a breach has occurred and the number of individuals affected is greater than 500, the PMPO is responsible for ensuring appropriate notification to HHS, the media, and the data subjects within 60 days, consistent with requirements under HIPAA. 4.4 At the latest, by the close of February of any calendar year, PMPO is responsible for reporting to HHS any breaches that have occurred in the prior calendar year. 4.5 All security incidents involving PHI or other Confidential Data, regardless of whether they qualify as a “breach” under HIPAA, must be logged in the Navex system maintained by OACP, or any successor system.
- Senior Response Team The Senior Response Team (SRT) consists of The Associate Vice President for Audit, Compliance and Privacy, the Penn Medicine General Counsel, the Penn Medicine Chief Information Officer and Vice President, and the Senior Vice President for Communications. The SRT can be convened by any member of the Senior Response Team when requested. Ordinarily, this will be in cases of incidents or breaches with significant impact to the individuals or the organization. The SRT will be charged with the responsibility to (1) determine whether additional briefing of leadership is warranted (2) guide and oversee investigations, required notifications, and other material responses to the security incident.
DEFINITIONS: Security Incident: A real or suspected adverse event in relation to the security of information systems, networks, data, or other assets such as a Denial of Service/Distributed Denial of Service attack, website defacement, ransom ware (Malware) or a breach, among many other things. Breach: A type of security incident that encompasses the unauthorized access, use, or disclosure of unsecured PHI, as further defined by HIPAA, and other Confidential Data. Workforce Member: All faculty members, physicians, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.