HHS’ Checklist on How to Respond to a Cyber Attack
The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks. The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks. Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.
OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack. Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:
Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;
Report the breach to local and federal law enforcement;
Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and
Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised. If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.
Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.
It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA. Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws. Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.