May 4, 2020
As more and more healthcare-related activities move online in response to the novel coronavirus outbreak, it is more important than ever for covered entities and their business associates to be diligent and proactive about their cybersecurity. On April 30, the U.S. Department of Health and Human Services (HSS) Office of Civil Rights (OCR) re-released its Cyber Attack Quick Response Checklist (available here) in an effort to support covered entities and business associates facing increased risk of cyber-crime during this time. The checklist, which was originally released by OCR in 2017 in response to the WannaCry ransomware attack, outlines the actions a covered entity and/or a business associate should take to protect itself and patients in the immediate aftermath of a cyber-attack that results in the breach of protected health information (PHI).
Specifically, covered entities and business associates should:
- Identify the technical or security problem that gave rise to the incident and take steps to immediately cease the unauthorized access or activity. It is critically important to mitigate any further disclosure of PHI.
- Report the incident to local, state, and federal law enforcement officials, including the FBI, as soon as possible. Keep in mind that pursuant to HIPAA and other state breach notification laws, law enforcement officials have the right to delay the report of a breach if the report would impeded a criminal investigation or harm national security.
- Report all cyber-attacks and suspected cyber threats to federal information-sharing and analysis organizations (ISAOs) such as the Department of Homeland Security and the HSS Assistant Secretary for Preparedness and Response, as well as private sector ISAOs that analyze cyber security issues.
- Fulfill their breach reporting obligations.
- Under HIPAA, breaches that affect 500 or more individuals must be reported to OCR as soon as possible, but not later than 60 days after its discovery. In the checklist, OCR encourages covered entities and business associates to assume that any unauthorized access of PHI constitutes a breach, unless the information was encrypted at the time of access or the entity performs a written risk assessment and determines there is a low probability that PHI was compromised as a result of the incident.
- For breaches that affect fewer than 500 individuals, the covered entity or business associate must notify affected individuals without unreasonable delay, but not later than 60 days after its discovery. Additionally, OCR must be notified within 60 days after the end of the calendar year in which the breach was discovered.
- While the OCR checklist focusses specifically on federal breach reporting requirements, nearly all states also have their own breach reporting obligations, some of which are more stringent than those required under HIPAA. A covered entity or business associate that has experienced a breach of PHI must carefully assess its additional obligations under state law.
Though the OCR’s checklist is certainly not the end all be all for responding to a cybersecurity incident or threat, these initial actions will help covered entities and business associates mitigate further harm and additional disclosures of PHI.