HHS GUIDANCE ON A CYBER-ATTACK

Has your entity just experienced a cyber-related security incident, and are you wondering what to do next? This guide explains, in brief, the steps a HIPAA covered entity or its business associate should take in response to a cyber-related security incident.

IN THE EVENT OF A CYBER-ATTACK OR SIMILAR EMERGENCY, AN ENTITY:

• Must execute its response and mitigation procedures and contingency plans. For example, the entity should immediately fix any technical or other problems to stop the incident. The entity should also take steps to mitigate any impermissible disclosure of protected health information, which may be done by the entity’s own information technology staff, or by an outside entity brought in to help (which would be a business associate, if it has access to protected health information for that purpose).

• Should report the crime to law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service. Any such reports should NOT include protected health information, unless otherwise permitted by the HIPAA Privacy Rule. If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach (see below) for the time the law enforcement official requests in writing, or for 30 days, if the request is made orally.

• Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Any such reports should not include protected health information. OCR does not receive such reports from its federal or HHS partners.

• Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals; and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify: individual without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.

OCR considers all mitigation efforts taken by the entity during any particular breach investigation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations as described above.

Cyber-Attack Guidance Summary

As is detailed above, it is best to have a checklist of activities that need to take place if a cyber-attack happens. An Incident Response Plan will contain and mitigate the cyber incident. Once the incident is either contained or to the point that other activities can commence, notifications need to be made. Contacting law enforcement, then the information-sharing and analysis organizations (ISAOs), will help to aid not only your organization but alert peers to possible threats. Finally, if the cyber-attack is determined to be a breach, any federal and state reporting must be made.

How can a Security Risk Analysis from the Kentucky REC help?

Our highly trained staff can help your organization reduce your cyber-attack risk through a Risk Analysis. By performing interviews, facility walk throughs, and looking at your documentation, then matching your existing controls to industry best practice, you will receive a thorough view of your vulnerabilities. Once the vulnerabilities are identified, they will be outlined in a final report with suggestions for compensating controls to reduce cyber-attack risks.

Contact the security experts at Kentucky REC with your HIPAA and security questions. Call us at 859-323-3090.