MedStack Technology Compliance Policies

Information security incidents

Use automated systems to detect, log, and alert on suspicious activity

  • Intrusion Detection System (IDS)
    • Install and run IDS on all systems.
    • Automatically alert staff when highly suspicious events are detected.
  • Security Information and Event Management (SIEM)
    • Operate a SIEM covering all systems.
    • Centrally log information-security related events.
    • Provide a facility for staff to search and analyze logs.
  • Incident Response (IR)
    • Use an Incident Response system to automatically alert and manage the staff response to incidents.

Immediately respond upon detection

  • Notify management and employees
    • Inform the CPSO and other management of the incident.
    • Notify additional employees if needed to assist with incident response.
  • Classify the incident
    • Identify and classify the severity of the incident.
    • Determine the actual risk to PHI and to the subject(s) of the PHI.
  • Mitigate harmful effects
    • Disable systems (if appropriate) to prevent the incident from continuing.
    • Repair, patch, or otherwise correct the condition or error that created the incident.
    • Retrieve or limit the dissemination of PHI, if possible.
  • Collect evidence
    • Preserve information about the incident which can serve as evidence.
CodeSectionTitle
ISOA.16.1.1Responsibilities and procedures
ISOA.16.1.2Reporting information security events
ISOA.16.1.4Assessment of and decision on information security events
ISOA.16.1.5Response to information security incidents
ISOA.16.1.7Collection of evidence
SOC2CC7.3The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2CC7.4The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2CC7.4The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC7.2The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
SOC2CC7.3The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2P6.5The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.
SOC2P6.6The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.
SOC2CC7.3The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2CC7.3The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2CC7.4The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2CC7.5The entity identifies, develops, and implements activities to recover from identified security incidents.
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC7.4The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2CC7.4The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2CC7.5The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Notify the appropriate parties when any breach of PII or PHI occurs

  • A breach is treated as discovered by us
    • the first day on which such breach is known or should reasonably have been known
    • to any employee or agent of ours, other than the person who committed the breach.
  • Notify the appropriate legal authority in a timely manner
    • within 72 hours
  • If required by a legal authority, delay further notification
    • in accordance with the law
  • Notify affected customers and other appropriate parties in a timely manner
    • without unreasonable or undue delay
    • no later than 60 calendar days after discovery
  • Include in the notification
    • a brief description of what happened
    • a description of the types of data involved
    • a brief description of the actions taken in response to the breach
    • contact procedures for the customer to ask questions and obtain further information
CodeSectionTitle
ISOA.6.1.3Contact with authorities
HIPAA164.41Notification by a business associate
HIPAA164.412Law enforcement delay
GDPRArticle 33Notification of a personal data breach to the supervisory authority
SOC2CC1.3COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Analyse and document

  • Research and analyse the incident to understand what occurred.
  • Improve system security if appropriate based on the results of the analysis.
  • Create an internal report and share it with the appropriate members of the workforce in order to expand our knowledge of security incidents and prevention.
  • Create a customer report and share it with the customer.
  • Update training and awareness programs for employees if appropriate.
CodeSectionTitle
ISOA.16.1.6Learning from information security incidents
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC7.5The entity identifies, develops, and implements activities to recover from identified security incidents.

Require notifications from suppliers

  • Require our suppliers to immediately report all breaches, losses, or compromises of PHI, whether secured or unsecured.
  • Include breach notification requirements in supplier contracts.

Report weaknesses

  • Report security weaknesses that are observed or suspected.
CodeSectionTitle
ISOA.16.1.3Reporting information security weaknesses
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC2.3COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2CC4.2COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC2CC7.2The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
SOC2CC7.3The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.16.1Management of information security incidents and improvements
CHISR83Reporting Security Incidents Involving the EHRi
CHISR84Responding to Security Incidents Involving the EHRi
HIPAA164.308(a)(6)Security incident procedures
HIPAA164.414(b)Burden of proof