Recently, the Department of Health and Human Services’ Office for Civil Rights published new guide lines for covered organizations on the correct way to respond to a cyberattack. These guideline included a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of steps that should be taken.
Preparation is key is a correct response. Covered entities must have response and mitigation procedures in place and contingency plans should implemented immediately following the identification of a cyberattack, malware or ransomware attack.
The first step in a response is to take quick action to prevent any impermissible disclosure of electronic protected health data. If a network intrusion has occurred, unauthorized access to the network – and data – must be prevented and measures taken to prevent data from being downloaded.
Healthcare groups may have employees capable of responding to such an incident, although third party firms can be hired to assist with the response. Smaller healthcare groups may have little choice but to call in external consultants to look into a breach and ensure access to data has been effectively obstructed.
OCR has warned covered organizations that a third-party cybersecurity firm brought in to help with response and mitigation would be classified as a business associate. Therefore, prior to access to systems being given, a HIPAA-compliant business associate agreement must be completed by the cybersecurity firm. Failing to obtain a signed BAA prior to access to systems being given would be a clear violation of HIPAA Rules and classified as an impermissible disclosure of ePHI.
A cyberattack is a serious crime, therefore law enforcement should be alerted. Covered organizations should advise the FBI and/or Secret Service to any cyberattack or ransomware incident and notify state and local law enforcement. Details of the incident should be given, although covered organizations should not disclose any protected health information, unless otherwise permitted by the HIPAA Privacy Rule (45 C.F.R. § 164.512(f)).
Covered organizations have been told that law enforcement may request breach reporting be delayed when the announcement of a breach may obstruct an investigation or could otherwise harm national security. Requests by law enforcement should state the duration of the delay and should be respected, while oral requests should result in a delay of no longer than 30 days from the original request. (45 C.F.R. § 164.412)
After law enforcement has been alerted, covered organizations should report cyber threat indicators to federal and information sharing and analysis groups (ISAOs). The Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response should be provided with threat indicators, although covered organizations should not disclose any protected health information in their official reports.
Covered organizations are advised that threat indicator information is not passed to OCR by other federal agencies. Covered organizations must therefore file a separate breach notice to OCR as quickly as possible, and certainly no later than 60 days following the discovery of the breach if the incident impacts 500 or more subscribers (unless told to do otherwise by law enforcement agencies).
Covered organizations can advise OCR of a breach impacting less than 500 subscribers within 60 days of the end of the calendar year in which the breach was found.
The guidance says, “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”
In all instances, subscriber impacted by a security breach must be warned without unnecessary delay and no longer than 60 days following the initial discovery of a breach.
The recently published checklist and infographic can be downloaded using the links here: