Incident Response Plan¶
HIPAA Rule: §164.308(a)(6)
Purpose¶
Define procedures for identifying, containing, eradicating, and recovering from security incidents involving PHI systems.
Incident Classification¶
| Severity | Definition | Examples |
|---|---|---|
| P1 — Critical | Confirmed PHI breach or active attack | Ransomware, unauthorized PHI export, root account compromise |
| P2 — High | Suspected breach or significant threat | GuardDuty High finding, unauthorized access to NHC account |
| P3 — Medium | Anomalous activity, no confirmed breach | Unusual API call pattern, screenshot bucket access spike |
| P4 — Low | Policy violation, no PHI at risk | Unencrypted resource created (caught by Config) |
Incident Response Team¶
| Role | Responsibility |
|---|---|
| Incident Commander | DevOps lead — coordinates response |
| Security Analyst | Investigates CloudTrail / logs |
| App Owner | Assesses application-level impact |
| Legal / Compliance | Breach notification decision |
Response Procedures¶
Step 1: Detect¶
Detection sources: - GuardDuty alert - CloudWatch alarm - Security Hub finding - Manual report
Step 2: Contain¶
- Isolate affected EC2 (modify security group to deny all inbound)
- Revoke compromised IAM credentials immediately
- For screenshot bucket: temporarily restrict all access pending investigation
Step 3: Investigate¶
- Use CloudTrail to trace all API calls in the timeframe
- Use VPC Flow Logs to identify lateral movement
- Use S3 access logs to identify data accessed
- Document findings in the incident log
Step 4: Eradicate¶
- Remove attacker access
- Patch or replace compromised instances (via AMI)
- Rotate all potentially exposed credentials
Step 5: Recover¶
- Restore from AWS Backup if data integrity is compromised
- Verify CloudTrail and logging are intact
- Re-run AWS Config conformance pack to confirm clean state
Step 6: Post-Incident¶
- Complete incident report within 72 hours
- Determine if breach notification is required (see Breach Notification)
- Update this plan if gaps were identified
Contact List¶
Fill in with actual names, phone numbers, and Slack handles.
| Role | Name | Contact |
|---|---|---|
| Incident Commander | TBD | TBD |
| Security Analyst | TBD | TBD |
Incident Log¶
Maintain an incident log at: [shared drive / ticketing system — TBD]
Each entry must include: date, severity, description, timeline, resolution, PHI exposure determination.