Skip to site content

Incident Response

To meet federal requirements and provide IHS with centralized incident reporting and response services, IHS established the IHS Cybersecurity Incident Response Team (CSIRT) to coordinate IHS-wide cyber security information sharing, analysis, and response activities. The IHS CSIRT provides a centralized resource for collecting, analyzing, and disseminating information technology security incident-related information.

The IHS CSIRT coordinates incident response planning with Area information systems security officers (ISSO), site managers, local IT staff and various external entities. The IHS CSIRT reports activities to the IHS Chief Information Security Officer and the HHS Computer Security Incident Response Center (CSIRC).

IHS CSIRT Services

The IHS CSIRT provides the following services:

  • Cyber-related alerts, warnings, advisories, and lessons learned
  • Centralized incident reporting, tracking, and response coordination
  • Coordination with IHS Area Offices and facilities for computer security

The CSIRT is part of the Division of Information Security, Office of Information Technology, and is located in Rockville, MD.

Incident Response Procedures

If you witness an IHS suspicious event or a potential incident, IMMEDIATELY do the following:

  • Contact - via email, phone or in person - your site manager or local ISSO. Be prepared to provide the date, time, location, and any other information you feel may be useful.
  • If you do not reach your site manager or local ISSO, contact your Area ISSO.
  • If you do not reach the Area ISSO, contact the IHS CSIRT using the information at the bottom of this page.
  • Do not discuss any suspicious activity with others to minimize impact on a possible investigation.
  • If the potential incident involves an information system:
    • STOP using the information system. Wait for further instructions from your ISSO or the CSIRT.
    • LOCK the system (e.g., Ctrl+Alt+Delete ' Lock Computer).
    • Do NOT turn it off, logout, or otherwise change anything.
    • If possible, prevent others from physically accessing the system.

Useful Links

Contact Information

IHS Cybersecurity Incident Response Team (during business hours):
CSIRT Email:
or contact the IHS Help Desk