Know How to Respond to a Cyber Security Incident

Organizations that fall under the purview of HIPAA have to respond quickly to a cyber attack. The Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services (HHS) issued a step-by-step guide to aid organizations. As a covered entity, your organization must have a contingency plan and incident procedures in the event of a security breach.

1. Execute Response

The first step is to put your contingency plan into action. In order to comply with HIPAA, you should already have established procedures to respond to a cyber security incident.

• Stop the incident. Fix any problems, technical or otherwise, that created the vulnerability.
• Stop further disclosure of personal health information. Your own IT staff or designated outside personnel with proper security safeguards may complete this step.

2. Report to Law Enforcement

You should tell law enforcement there has been a breach. Depending on the circumstances of the breach, these agencies may tell you to refrain reporting the breach further, specifically to affected individuals and the media, if that may jeopardize an investigation.

• Report the incident. Relevant agencies may include the Secret Service, FBI or state or local law enforcement.
• Do not disclose personal health information. Your report must not include any HIPAA-protected information.
• Follow instructions from law enforcement. This includes delayed reporting of the incident to the media or individuals upon agency request.

3. Report Cyber Threat Indicators

Cyber threat indicators are described in detail by the Cybersecurity Information Sharing Act of 2015 (CISA). In essence, they establish how the incident happened. They are of interest to information sharing and analysis organizations (ISAOs).

• Report the indicators. Tell the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private sector ISAOs.
• Do not disclose personal health information. Your report to ISAOs must not include any information that is protected by HIPAA.

4. Report to OCR

You are required to report the incident to the Office of Civil Rights. OCR considers breaches reportable unless the personal health information was encrypted at the time of the incident. The specific reporting requirements differ depending on whether the breach involved the health information of more or less than 500 individuals.For breaches involving less than 500 people:

• Report to affected individuals. This must occur without unreasonable delay but no later than 60 days after discovery of the breach.
• Report to OCR. This must occur within 60 days of the end of the calendar year when the breach was discovered.

For breaches involving more than 500 people:

• Report to OCR. This must occur as soon as possible but no longer than 60 days after discovery of the breach.
• Report to affected individuals.
• Report to the media.

The OCR guidelines use the word "must" in its directive for points one and four, while they use the word "should" for points two and three. Although reporting the incident to law enforcement and informing relevant agencies of cyber threat indicators may only be recommended, it is advisable to follow all OCR instructions. This will help mitigate further cyber security threats on a national basis and remove any doubt of your compliance with HIPAA guidelines.HIPAA-covered entities can take comfort in the guidelines from the OCR about how to handle a cyber security threat or breach. By following these steps, you can fulfill your legal obligations and uphold your commitment to those whose information you keep secure.NetWorks Group has a suite of solutions that will help you manage risk to sensitive healthcare data and achieve compliance. Contact us today to learn more!