Congratulations to tw-Security—2024 Best in KLAS® Security & Privacy Services!

We're #1! Thank you to all our partners and customers!

Ask yourself – “How secure are we? How prepared are we?”

Healthcare organizations are more vulnerable than ever before. Cyber villains have evolved from stealing patient data to shutting down operations and holding the organization hostage. This may be old news, yet each week we learn of another data breach.

An expanded distributed workforce, public health surveillance, and supporting technologies contribute to the rapid change in healthcare operational practices. These, combined with never-ending cybersecurity threats, increase the chance to encounter a data breach or incident attack.

Organizations that are prepared with a measured and practiced incident response procedure have the best possible means to remediate and recover from an attack.

Our service provides benefits to your organization by:

  • Reducing recovery time and efficiently restoring services
  • Improving your legal and regulatory defensibility
  • Providing a framework for continuous improvement

Our Process

There are three elements to a response; people, process, and technology. When a cyber-event is suspected, discovered, or identified, tw-Security focuses on the people and process functions. We accomplish this through a methodical approach that promotes a culture of incident prevention and recovery.

Our ‘Cyber Incident Response Framework’ is based on NIST’s incident response phases, regulatory requirements, and industry best practices.  See Sample/Example – Incident Response (IR) Flowchart.

Initially, we review the organization’s current-state response efforts and relevant policies and procedures.  Then we modify/create and review/edit playbooks and flowcharts which are aligned with NIST and/or ISO standards and the HIPAA ePHI breach requirements. These efforts support identifying a “best fit” scenario to create a script and handouts. Working with your organization we identify key stakeholders to participate in a tabletop exercise to “test” your response procedures.  After, we facilitate a debrief or “after-action” review. You may discover that your procedures and process documentation will need to be updated. The greatest value is testing your response to reinforce your preparedness to react in a “real incident” situation.

Ransomware response readiness

Ransomware, the fastest growing malware threat is distinct from other malware. HHS and the OCR have provided guidance to assist HIPAA covered entities and business associates on ransomware prevention and recovery. Guidance is also provided on how HIPAA breach notification processes should be managed in response to a ransomware attack.

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. Ransomware could possibly be a reportable breach. tw-Security gathers data to evaluate your incident response readiness to address a ransomware event. The results aid in identifying where to focus improvement efforts for reducing and managing risk.


Before conducting a tabletop exercise, we provide training. The training helps staff to quickly and efficiently investigate an incident, document the event, and protect evidence. This training helps an organization respond to the Office for Civil Rights (OCR) for specific events if requested.

  • Explain regulatory drivers (and prevailing practices) for doing a tabletop
  • Review incident reporting and response fundamentals
  • Review breach reporting requirements (HHS/OCR guidelines)

Knowledge Transfer

We provide “knowledge transfer” through leadership by example. During the facilitated hands-on tabletop exercise, we include “injections.” The injections result in a more realistic incident scenario. Throughout the tabletop exercise, we are monitoring the exercise’s overall effectiveness. The monitoring helps identify areas for improvement, and possible workaround procedures while we document lessons learned. After the exercise, we amend the response playbooks and create or update a Prioritized Action Plan to guide future response direction.

Finding the time to plan, enhance, and test a cyber-attack incident response policy and the process can be challenging. 

WE CAN HELP. Contact tw-Security to enhance your Incident Response Program!

Incident Response (IR) Flowchart Example