Q&A: Differentiating between security incidents and breaches

September 5, 2019
Medicare Web

Q: What is the difference between a security incident and a breach? Should they be handled differently?

A: A security incident is an incident that results in potential harm. It may be as simple as what’s called a ping—someone checking for holes in your firewall. It may also be as complex as malware that shuts down a network or an unauthorized disclosure of PHI or PII. A breach is a security incident that results in the unauthorized disclosure of PHI. Some also call a breach a privacy incident.

All CEs and BAs are required to maintain a security incident response team and develop a security incident response plan. That plan needs to address the identification, investigation of, and mitigation of security incidents, among other things. The plan should also be tested at least annually.

Regarding breaches, all CEs and BAs are required to develop a breach response plan so suspected or identified breaches of unsecure PHI can be responded to quickly. If during a security incident investigation, it is discovered that a breach of unsecure PHI occurred, that would trigger the breach notification plan. Not all security incidents result in a breach, so the breach notification plan is not always utilized in the event of a security incident. As an example, if a break-in occurred and there was a theft of encrypted laptops, it would not result in the breach of unsecure PHI and the breach notification plan would not be triggered.

It’s important to remember that cybersecurity incidents are a subset of security incidents. A security incident may involve malware, physical break-ins, faxing PHI to the wrong number, and so forth. Both a security incident response plan and a breach notification plan need to address electronic and non-electronic incidents.


Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.

Related Topics: 
Ask the Expert, HIM/HIPAA, HIPAA