Incident Response & Disaster Recovery

Overview

HIPAA requires documented procedures for security incident response (45 CFR § 164.308(a)(6)) and contingency planning (45 CFR § 164.308(a)(7)).

1. Roles and Responsibilities

Role	Responsibility
HIPAA Privacy Officer	PHI use oversight, patient rights, breach notification
HIPAA Security Officer	Technical safeguards, incident response lead
Cloud Administrator	GCP infrastructure response
Legal Counsel	Breach notification compliance, regulatory reporting

Fill in contact details before going live. Store in a location accessible without GCP (e.g., physical binder + encrypted offline document).

2. Incident Classification

Severity	Description	Response Time
P1 — Critical	Active breach, ongoing data exfiltration	< 1 hour
P2 — High	Confirmed PHI exposure, account compromise	4 hours
P3 — Medium	Suspected breach, anomalous activity	24 hours
P4 — Low	Policy violations, near-misses	72 hours

3. Incident Response Process

Detect → Contain → Analyze → Eradicate → Recover → Document → Notify

Step 1 — Detect

# Query for anomalous DB access during investigation
gcloud logging read \
  'protoPayload.authenticationInfo.principalEmail!="[email protected]"
   AND resource.type="cloudsql_database"' \
  --project=YOUR_PHI_PROJECT_ID --format=json

Step 2 — Contain

# Revoke a compromised service account
gcloud iam service-accounts disable \
  COMPROMISED_SA@YOUR_PROJECT_ID.iam.gserviceaccount.com \
  --project=YOUR_PHI_PROJECT_ID

# Remove a user's IAM access
gcloud projects remove-iam-policy-binding YOUR_PHI_PROJECT_ID \
  --member="user:[email protected]" --role="roles/ROLE_NAME"

# Block an IP via Cloud Armor
gcloud compute security-policies rules create 900 \
  --security-policy=phi-waf-policy \
  --expression="inIpRange(origin.ip, 'ATTACKER_IP/32')" \
  --action=deny-403 --project=YOUR_PHI_PROJECT_ID

Step 3 — Analyze

# Export audit logs for the incident time window
gcloud logging read \
  "timestamp >= \"2026-02-20T00:00:00Z\" AND timestamp <= \"2026-02-20T23:59:59Z\"" \
  --project=YOUR_PHI_PROJECT_ID --format=json > incident_logs.json

Step 5 — Recover

# List available backups
gcloud sql backups list --instance=phi-db-instance --project=YOUR_PHI_PROJECT_ID

# Restore from backup
gcloud sql instances restore-backup phi-db-instance \
  --backup-id=BACKUP_ID \
  --restore-instance=phi-db-restore \
  --project=YOUR_PHI_PROJECT_ID

4. HIPAA Breach Notification Requirements

Notification Timeline

Notification	Recipient	Deadline
Internal escalation	Privacy Officer, Security Officer	Immediately
Affected individuals	Patients whose PHI was breached	Within 60 days
Secretary of HHS (< 500 affected)	HHS.gov portal	Within 60 days after year end
Secretary of HHS (≥ 500 affected)	HHS.gov portal	Within 60 days of discovery
Media notice (≥ 500 in a state)	Prominent media outlet	Within 60 days

Required Notification Content

Brief description of the breach
Types of PHI involved
Steps individuals can take to protect themselves
What you are doing to investigate, mitigate, and prevent recurrence
Contact information

HHS Reporting Portal: https://ocrportal.hhs.gov/ocr/breach/wizard.jsf

5. Disaster Recovery Plan

Recovery Objectives

Metric	Target
RTO (Recovery Time Objective)	4 hours
RPO (Recovery Point Objective)	1 hour

Backup Architecture

Primary Region (us-central1)
├── Cloud SQL (PRIMARY)
│   ├── Automated daily backup → Cloud Storage
│   └── PITR: 7-day transaction log window
│
└── Redis (STANDARD_HA)
    └── Automatic failover to standby replica

DR Runbook — Cloud SQL Failure

# 1. Check instance state
gcloud sql instances describe phi-db-instance \
  --format="value(state)" --project=YOUR_PHI_PROJECT_ID

# 2. List backups
gcloud sql backups list --instance=phi-db-instance --project=YOUR_PHI_PROJECT_ID

# 3. Restore
gcloud sql instances restore-backup phi-db-instance \
  --backup-id=LATEST_BACKUP_ID \
  --restore-instance=phi-db-recovery --project=YOUR_PHI_PROJECT_ID

DR Test Schedule

Test Type	Frequency
Backup restore (Cloud SQL)	Quarterly
Redis failover test	Semi-annually
Full DR tabletop exercise	Annually
Full DR live failover	Annually

Next: Risk Assessment →

Overview​

1. Roles and Responsibilities​

2. Incident Classification​

3. Incident Response Process​

Step 1 — Detect​

Step 2 — Contain​

Step 3 — Analyze​

Step 5 — Recover​

4. HIPAA Breach Notification Requirements​

Notification Timeline​

Required Notification Content​

5. Disaster Recovery Plan​

Recovery Objectives​

Backup Architecture​

DR Runbook — Cloud SQL Failure​

DR Test Schedule​

Overview

1. Roles and Responsibilities

2. Incident Classification

3. Incident Response Process

Step 1 — Detect

Step 2 — Contain

Step 3 — Analyze

Step 5 — Recover

4. HIPAA Breach Notification Requirements

Notification Timeline

Required Notification Content

5. Disaster Recovery Plan

Recovery Objectives

Backup Architecture

DR Runbook — Cloud SQL Failure

DR Test Schedule