OCR releases cyberattack guidance for covered entities
Last week, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) published new guidance for covered entities on the correct response procedures following a cyberattack. Titled ‘My entity just experienced a cyber-attack! What do we do now?’ the guidance consists of a quick response checklist and an accompanying infographic to highlight a series of necessary actions in an easy to digest, shareable format.
Here’s what you need to know, should your organization fall victim to an attack.
Preparation is paramount to protection. The OCR guidance reminds covered entities to ensure they are equipped with response and mitigation procedures and contingency plans that can be implemented immediately following the discovery of a cyberattack, malware, or ransomware attack in order to prevent any disclosures of protected health information (PHI).
Third-party cybersecurity firms may be contracted to assist with response procedures for those smaller healthcare organizations, or those lacking suitably trained resource teams. Any involved third-parties would be classified as business associates and therefore a Business Associate Agreement (BAA) must be signed before any access to systems, devices, or networks is granted. Failure to obtain such documentation will result in a violation of HIPAA Rules, paving the way for further problems.
Report to Law Enforcers
Cyberattacks are a criminal activity and therefore state and local law enforcers need to be notified and provided with details of the incident. OCR reminds organizations not to disclose any PHI to these agencies.
Law enforcement may request breach reporting to be delayed if there is a possibility the announcement could impede investigation or harm national security. OCR advises that such requests should be honored providing the duration of the delay has been officially documented.
Share Threat Indicators
Following law enforcement involvement, covered entities are next reminded to report any cyber threat indicators to federal and information sharing and analysis organizations (ISAOs). Threat indicator reports should also be sent to the Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response. Again, it is essential that no amount of PHI is disclosed to these parties.
Notify OCR and affected individuals
The guidance advises covered entities to also submit a separate breach notice to OCR as soon as possible, or within 60 days of initial discovery if more than 500 individuals are affected by the incident (unless law enforcement has stated otherwise).
Should the cyberattack impact fewer than 500 individuals, covered entities can inform OCR within 60 days of the calendar year end in the year which the breach was identified. According to the guidance, “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”
This new guidance for covered entities outlines only the absolute basics. There are of course a plethora of more detailed actions that must be adhered to before, during, and after a cyberattack. However, any OCR issued guidance is well worth reading and sharing. You can download the full checklist and infographic using the links below: