July 21, 2017

July 21, 2017

Subscribe to Latest Legal News and Analysis

July 20, 2017

Subscribe to Latest Legal News and Analysis

July 19, 2017

Subscribe to Latest Legal News and Analysis

July 18, 2017

Subscribe to Latest Legal News and Analysis

HHS’ Checklist on How to Respond to a Cyber Attack

The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks.  The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks.  Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.

OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack.  Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:

  1. Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;

  2. Report the breach to local and federal law enforcement;

  3. Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and

  4. Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised.  If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.

Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.

It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA.  Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws.  Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.

© Copyright 2017 Cadwalader, Wickersham & Taft LLP

TRENDING LEGAL ANALYSIS


About this Author

Stephen Weiss, Cadwalader Law Firm, White Collar Defense Attorney
Associate

Stephen Weiss is an associate in the White Collar Defense and Investigations Group in Cadwalader’s Washington, D.C., office. His practice concentrates on advising clients in a variety of criminal and regulatory matters, focusing primarily on government enforcement actions and internal corporate investigations. 

A graduate of Dickinson College, Stephen received his J.D. from American University, Washington College of Law and served on The American University Business Law Review. He is admitted to practice in the District of Columbia.

202-862-2347
Joseph Facciponti, Cadwalader Law Firm, Cybersecurity and National Security Attorney
Special Counsel

Joseph Facciponti is a special counsel in the firm’s New York office with 11 years of experience as a federal prosecutor and as corporate counsel at a large financial institution. His practice focuses on representing corporations, financial institutions and individuals in investigations, regulatory enforcement actions, and litigation concerning white collar crimes, computer crimes and commercial disputes.

Prior to joining Cadwalader, Joseph held an executive-level position in the legal department of HSBC Holdings, where he was responsible for leading global investigations of matters involving money laundering, sanctions, tax and anti-bribery laws, including the Foreign Corrupt Practices Act. As counsel for HSBC, Joseph also advocated for the bank’s interests before U.S. and foreign regulators as well as HSBC’s independent monitor.

212-504-6313