What’s a Security Incident? When is it a Breach?

Security Incident

When a security incident happens and when they do, effective response planning can be a major factor of how significant an organization suffers operational or reputational harm or legal liability. Being able to respond to incidents in a systematic way ensures appropriate response steps are taken each time to help minimize the impact of breaches.

The HIPAA Security Rule defines a security incident as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304.)

The HIPAA Breach Notification Rule defines a breach as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402.)

On August 16, 2017, there were a total of 2,022 healthcare data breaches reported on the HHS “Wall of Shame”. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Covered Entities (CEs) and their Business Associates (BAs) are expected to provide security controls that ensure the confidentiality, integrity, and availability (CIA) of protected health information (PHI). However, having robust and fairly resilient systems will not eliminate the possibility that a cybersecurity incident could occur in your organization.

Despite the requirements of HIPAA, not only do a large percentage of CEs believe they will not be notified of security incidents or cyberattacks by their BAs, they also think it is difficult to manage security incidents involving BAs, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach.

CEs and BAs should train all workforce members, including management, on incident reporting and may wish to conduct security audits and enterprise-wide risk analysis to evaluate the BAs’ or subcontractors’ security and privacy practices. If not, ePHI or the systems that contains ePHI may be at significant risk.

Over the past years, the healthcare sector has been one of the biggest targets of cybercrimes resulting in breaches due to weak authentication.

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?





Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!