incident-response Controls

Credentials are revoked immediately on known or suspected compromise

An incident response plan is documented and maintained

Incident response roles and contacts are designated and current

Incident response exercises are conducted at least annually

Implement policies and procedures to address security incidents involving ePHI

The estimated impact and scope of adverse events are understood

Information on adverse events is provided to authorized staff and tools

Incidents are declared when adverse events meet the defined criteria

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Relevant suppliers are included in incident planning, response, and recovery activities

Incident response plans and cybersecurity plans are established, maintained, and improved

Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Public updates on the incident and ongoing recovery are shared using approved methods and messaging

The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed

Forensics are performed

Execute the incident response plan in coordination with relevant third parties

Incidents are contained

Incidents are eradicated

Detected security incidents are evaluated and classified

Security incidents are responded to and contained

Incidents are recovered from and resumption of operations is documented