Back to all insights
Incident ResponseHIPAAHealthcareSecurity

HIPAA Incident Response: What Happens in the First 24 Hours Matters

B Byzantine Technologies · · 9 min read

The Hours That Set the Trajectory

When a security incident strikes a medical or dental practice — ransomware, a compromised mailbox, a lost device, a discovered intrusion — the first 24 hours largely determine how the whole event plays out. Decisions made in those early hours affect how much damage occurs, whether evidence is preserved, whether notification deadlines are met, whether insurance coverage holds, and how quickly patient care can resume. Practices that improvise in this window move slower, make avoidable mistakes, and often make the situation worse.

The antidote is a documented incident response plan prepared while calm. The current HIPAA Security Rule requires security incident procedures, and the HHS/OCR proposed updates published in early 2025 would make incident response a more defined expectation. But the real reason to have a plan is practical: in the chaos of a live incident, you want to be following a checklist you wrote with a clear head, not inventing one under pressure.

This is a walk through what the first 24 hours should look like.

First: Recognize and Report

An incident can only be managed if it’s recognized and reported. The first piece of a working plan is making sure everyone in the practice knows how to report something that looks wrong — a ransom message on a screen, an email that turned out to be phishing that someone clicked, a missing laptop, an account behaving strangely.

The reporting path must be simple and known to everyone: who do you tell, and how, the moment you suspect something? In many practices that’s a designated internal contact and the MSP or IT provider. The worst outcome is a staff member who notices something alarming, isn’t sure whether it’s serious, and stays quiet for hours while the situation worsens. Make reporting easy, blame-free, and fast — early reporting of a false alarm is far better than late reporting of a real incident.

Second: Contain

Once an incident is confirmed, the immediate priority is containment — stopping the spread. With ransomware especially, every minute of unchecked access can mean more encrypted systems and more compromised data. Containment might mean isolating affected machines from the network, disabling a compromised account, or cutting off a network segment.

There is an important balance here, which is why having technical expertise engaged immediately matters: you want to contain the threat without destroying the evidence you’ll need later, and without causing more disruption than necessary. Pulling the right plug stops the bleeding; pulling the wrong one can wipe forensic evidence or take down systems that weren’t even affected. This is a judgment call best made by people who know what they’re doing and have thought about it in advance.

“In the first hour of a ransomware event, the instinct is to start deleting and rebuilding to get back to work. That instinct destroys the evidence your insurer, your forensics team, and possibly regulators will need. Contain first, preserve, then recover.”

A security incident at a healthcare practice is not just a technical problem — it’s a potential legal and compliance event. Early escalation to the right people is critical because some decisions have legal consequences and some clocks start running immediately.

The plan should identify who handles the legal and compliance dimension — whether that’s a compliance officer, outside counsel experienced in healthcare breaches, or both. They help assess whether the incident is a reportable breach under the Breach Notification Rule, what the notification obligations and deadlines are, and how to handle the event in a way that’s legally defensible. Engaging them early, rather than after the technical dust settles, prevents missteps that are hard to undo.

Fourth: Notify Your Cyber Insurer

If you carry cyber insurance — and you should — your policy almost certainly requires you to notify the insurer promptly, often within a specific and short window. Miss that window and you risk your coverage for the very event the policy exists to cover.

Beyond the contractual requirement, your insurer is a resource. Many carriers provide access to experienced incident response vendors, forensics specialists, and breach counsel — and some require you to use their approved vendors for coverage to apply. Knowing your insurer’s notification requirements and approved-vendor rules in advance, and having that information in your incident response plan, means you won’t be reading your policy for the first time in the middle of a crisis.

Fifth: Preserve Evidence

Evidence handling runs alongside containment and matters for several reasons: understanding what actually happened, meeting legal and regulatory expectations, satisfying insurer requirements, and supporting any law enforcement involvement. The instinct to immediately wipe and rebuild affected systems is understandable but can destroy the very evidence needed to determine the scope of the incident — including whether ePHI was actually accessed, which directly affects your notification obligations.

Good evidence handling means preserving affected systems and logs in their current state where feasible, documenting what was observed and what actions were taken with timestamps, and letting forensic specialists examine things before systems are rebuilt. This is another reason recovery should follow a deliberate process rather than a panicked one.

Throughout: Keep Patient Care Going

All of this unfolds while patients still need care. A security incident cannot mean abandoning patients, which is where the connection to your downtime and emergency-mode operations procedures becomes vital. The incident response plan and the business continuity plan are two halves of the same preparedness: one manages the security event, the other keeps the practice functioning while it’s managed.

In the first 24 hours, someone needs to own the question of continuity: how do we keep seeing patients safely while affected systems are isolated? This means activating downtime procedures, communicating with staff about what systems are available, and managing patient expectations. Keeping care going is not a distraction from incident response — it is part of it.

A First-24-Hours Framework

  1. Report — the incident is recognized and reported immediately through a known, simple path.
  2. Contain — stop the spread by isolating affected systems and accounts, carefully, preserving evidence.
  3. Escalate — bring in legal/compliance early to assess obligations and protect defensibility.
  4. Notify the insurer — within the policy’s window, and use their approved resources.
  5. Preserve evidence — don’t wipe and rebuild before forensics; document everything with timestamps.
  6. Sustain care — activate downtime procedures so patients keep getting seen.

Each of these is far easier when it’s written down in advance, with names, contact numbers, and steps — not improvised at 2 a.m.

The Byzantine Takeaway

The first 24 hours of a security incident set the trajectory for everything that follows. A documented incident response plan turns those hours from chaotic improvisation into a sequence of deliberate steps: recognize and report, contain without destroying evidence, escalate to legal and compliance, notify your cyber insurer within the required window, preserve evidence for forensics, and keep patient care going through your downtime procedures. HIPAA requires incident procedures, and the proposed rule reinforces them — but the real payoff is simpler. When something goes wrong, and eventually something will, the practice that prepared moves faster, makes fewer mistakes, and recovers sooner.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.