§164.308(a)(6)(ii): Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
Audit Inquiry
Does the entity have policies and procedures in place for identifying, responding to, reporting, and mitigating security incidents?
Does the entity identify, respond to, report, and mitigate security incidents?
Obtain and review policies and procedures related to responding and reporting security incidents. Evaluate and determine if incident response procedures are in place.
Elements to review may include but are not limited to:
• A methodology for defining security incidents based on levels of criticality
• Provisions for reporting and responding to all types of known and suspicious security incidents based on criticality levels of such incidents
• The roles and responsibilities of workforce members including the entity’s security incident response team
Obtain and review documentation of responding to, reporting, and mitigating security incidents. Evaluate and determine if security incident response, reporting, and mitigation procedures are followed by workforce members; are conducted in a timely manner; and their outcomes are properly documented and communicated to the appropriate workforce members.
Required/Addressable
Required