Today, reports about ransomware and other cyberattacks, such as WannaCry and Petya, are a daily occurrence. The healthcare sector isn’t exempt. You probably read about hackers’ recent break-in to the United Kingdom’s National Health Service computers, for example.

But, there’s good news. Your organization can prepare for these inevitable attacks – and handle any incidents using trusted, expert advice. In this blog post, I’ll provide a summary (and some perspective) on the “official” guidance from The U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR).

How to respond to a cyber-related security incident

  • First step, execute your response and mitigation procedures and contingency plans. To stop the incident, identify and fix any technical (or other) problems you see. To help address any presumed protected health information leaks, leverage the expertise of your own information technology staff, or bring in an outside entity, if needed.
  • Report the crime to other law enforcement agencies. This may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service. Don’t include protected health information, unless otherwise permitted by the HIPAA Privacy Rule. If a law enforcement official tells you that any potential breach report would impede a criminal investigation or harm national security, delay reporting a breach during law enforcement’s requested time period (if you have it in writing) or for 30 days (if the request is made orally).
  • Report all cyber threat indicators to the appropriate federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Your reports should not include protected health information.
  • Report the breach to the OCR as soon as possible (but no later than 60 days after the discovery of a breach affecting 500 or more individuals). Also, notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. OCR presumes all cyber-related security incidents (where protected health information was accessed, acquired, used, or disclosed) are reportable breaches. This is the case unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. If your organization discovers a breach affecting fewer than 500 individuals, you have an obligation to notify the following:
    • Applicable individuals — without unreasonable delay, but no later than 60 days after discovery
    • OCR — within 60 days after the end of the calendar year in which the breach was discovered

Help your organization avoid cyberattacks

  • Follow a regular patching program to ensure operating systems and applications have the latest security patches installed
  • Check that data is backed up and restoration is tested
  • Confirm backup sets are not stored on the same network segment as production data

Ready to learn more?