medCrowd requires JavaScript - please enable JavaScript in your browser if you wish to use App.

Skip to Content

  Please use the latest version of a supported browser with JavaScript enabled:     Got it - don't show me this again


SUPPORTED MOBILE BROWSERS
ANDROID AND IOS
  • Chrome
  • Firefox
ANDROID ONLY
  • Android v5.0+
IOS ONLY
  • Safari
WINDOWS 10 MOBILE
  • Edge
SUPPORTED DESKTOP BROWSERS
WINDOWS AND MAC
  • Chrome 12+
  • Firefox 16+
  • Opera 15+
MAC ONLY
  • Safari 6+
WINDOWS ONLY
  • Edge
  • Internet Explorer 10+
Compliance ISO 27001

Information Security Incident Management Policy

Classification Public
Location https://www.medcrowd.com/compliance/iso27001/policies/InformationSecurityIncidentManagement
Author Paul Gardner
Approver Felix Jackson
Approved 14th December 2016
Date Author Changes
19th June 2023 Paul Gardner Periodic review
6th June 2022 Paul Gardner Periodic review
16th February 2021 Paul Gardner Periodic review
12th February 2020 Paul Gardner Periodic review
25th May 2018 Paul Gardner Notifying the ICO is now mandatory and within 72 hours for breaches involving personal data
15th May 2018 Paul Gardner Periodic review
15th November 2016 Paul Gardner Moved to the web
Added HIPAA to Compliance
17th May 2016 Paul Gardner Change document location
State when an ISI ticket may be closed
30th July 2015 Paul Gardner Periodic review
8th September 2014 Paul Gardner Rebranding
2nd July 2014 Paul Gardner Initial revision

Introduction

This policy is part of the medDigital ISMS and must be fully complied with.

medDigital is responsible for the security and integrity of all data it holds. We must protect this data using all means necessary by ensuring at all times that any incident which could cause damage to assets and reputation is prevented and/or minimised.

An information security incident is an adverse event affecting information or our ability to process information. This includes:

  • Loss of information
  • Compromise of integrity of information
  • Unauthorised access to systems
  • Misuse of systems or information
  • Theft and damage to systems
  • Virus attacks
  • Inadvertent disclosure of credentials

Ensuring efficient reporting and management of security incidents will help reduce and in many cases, prevent incidents occurring.

medDigital has an incident reporting mechanism in place which details the procedures for the identification, reporting and recording of security incidents. By continually updating and informing employees, contractors and suppliers of the importance of this identification, reporting and action require to address incidents, we can continue to be pro-active in addressing these incidents when they occur.

All employees, contractors and suppliers are required to report all incidents - including potential or suspected incidents, as soon as possible via the Incident Reporting procedures.

Compliance

The Data Protection Act (2018) requires that personal data be kept secure against unauthorised access or disclosure.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides data privacy and security provisions for safeguarding medical information.

The Computer Misuse Act (1990) covers unauthorised access to computer systems.

Breaches of Policy

Breaches of this policy and/or security incidents are incidents which could have, or have, result in loss or damage or conduct which is in breach of procedures and policies.

In the case of vendors and contractors, non-compliance will result in the immediate removal of access to systems. If damage or compromise of the systems results from non-compliance, we will consider legal action.

In the case of an employee, if damage or compromise of the systems results from non-compliance, they will be dealt with under the disciplinary procedure.

Incident Reporting Procedure

Report the incident by email to security@meddigital.com.

This email creates a ticket in the helpdesk and email notification is sent to the Information Security Manager who will:

  • Carry out a risk assessment and determine the severity of the incident
  • In the event of a breach involving personal data - notify the ICO within 72 hours
  • Determine which other parties should be notified including personnel, clients, users, suppliers, regulatory authorities and law enforcement, taking into consideration the requirements of the Data Protection Act/GDPR.
  • Develop a recovery and damage limitation plan
  • Escalate to individuals and teams as required

All parties dealing with the incident shall undertake to:

  • Keep the ticket updated with relevent information throughout the process
  • Analyse and establish the cause of the incident and take any steps necessary to prevent a recurrence
  • Maintain communication and confidentiality throughout the investigation
  • Identify issues caused as a result of the incident to prevent or reduce further impact
  • Escalate to external vendors where appropriate
  • Add any relevant log files or other evidence to the ticket
  • Ensure all corrective and preventative measures are implemented and monitored for effectiveness

Information Security Incident tickets may only be closed by the Information Security Manager once they have confirmed that all of the above points have been fully resolved.