Overview

A computer information security incident report should be completed when a known violation of Medical Center or University IT policy, standards, or procedures has occurred.

Purpose

When any potential computer security incident occurs, it is important that it be reported as quickly as possible in a standard format. By following this procedure, those using Medical Center computing resources provide the Health IT (HIT) Security team with an incident report that can be used for further investigation and adjudication of security-related incidents.

Scope

This procedure applies to all Medical Center employees and customers and to any device accessing Medical Center IT resources.

Description

A computer information security incident is any event that exposes Medical Center IT resources to intentional or unintentional disclosure, alteration, loss, or disrupted service levels. Incident reports should be completed when there are known violations of Medical Center or University IT security or acceptable use policies, standards, and guidelines.

When someone becomes aware of any electronic information security incident, they must contact Health Information and Technology (HIT) and complete a Computer Security Incident Report as per Health System Policy IT-002 Use of Electronic Information and Systems  IT Security Incidents should be considered a high priority.

Any incident involving Protected Health Information (PHI) must be reported to the Corporate Compliance and Privacy Office for investigation and follow-up (see Medical Center Policy No. 0021: Confidentiality of Patient Information).

A Computer Security Incident Report may be submitted online through the Computer Security Incident Report web site or by contacting the HIT Help Desk at (434)924-5334.

All reports will be kept confidential. It is critical that suspected wrongful conduct be reported in 'good faith' as soon as it becomes apparent. Employees and customers who, in good faith, report suspected wrongful conduct will be protected from retaliation. Individuals engaging in wrongful conduct, including the failure to comply with policies and procedures and all Federal Health Care Program requirements, or failure to report such non-compliance will be subject to sanctions that may lead to suspension, termination, or other disciplinary action.

Potential examples of computer information security incidents include but are not limited to:

  • Potential unauthorized disclosure, corruption, or exposure of data
  • Loss, theft, or unauthorized modification of hardware, electronic media, or important (not necessarily confidential) data difficult or impossible to recover
  • Defacement of websites
  • Potential significant financial loss
  • Widespread negative impact on computing environment, such as interference with systems operation
  • Data or hardware loss, modification, or denial of service that could potentially lead to public embarrassment for the Medical Center
  • Contacts from FBI, Secret Service, or other law enforcement organizations regarding computer crimes
  • Denial of service (information systems are not usable)
  • Malicious code (virus, worm, spyware, etc.)
  • Unauthorized access or use of an individual's computing account
  • Inappropriate usage or disclosure of sensitive data
  • Use of IT resources for unethical or unlawful purposes

Document Supporting Resources