# Security incident response runbook (medtech)

**Version:**  
**Owner:**  
**Last tabletop:**

## Severity levels (example)

- **SEV1:** Active exploitation; patient safety or widespread PHI exposure.
- **SEV2:** Confirmed breach limited scope; no active exploit.
- **SEV3:** Suspected issue; investigation ongoing.

## Roles

| Role | Primary | Backup |
|------|---------|--------|
| Incident commander | | |
| Technical lead | | |
| Legal / privacy | | |
| Comms | | |
| Custodian liaison | | |

## Detection and declaration

- Log sources; alert routes:
- When to declare an incident (criteria):

## Containment

- Isolate systems; revoke credentials; preserve logs:

## Eradication and recovery

- Patch path; validation before restore:
- Customer / site communication template location:

## Regulatory and custodian notification

- Triggers for Health Canada, FDA, OIPC, custodian (confirm with counsel):
- Document timeline (discovery, containment, notification):

## Post-incident

- Root cause; CAPA linkage:
- Runbook updates: