July 14, 2020

Volume X, Number 196

July 13, 2020

Subscribe to Latest Legal News and Analysis

OCR Responds to Rise in Health Care Cyber Attacks

The recent WannaCry ransomware and Petya/notPetya malware attacks that targeted thousands of organizations around the world, most notably health care providers and pharmaceutical companies, signal the urgency of protecting against ever-evolving cybersecurity risks. As a result of these attacks, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has developed a growing set of resources to provide planning and response guidance to health care entities. OCR recently issued a Quick-Response Checklist and infographic as well as guidance that outlines the steps that a HIPAA-covered entity or business associate can take in response to a cyber threat or attack.

In addition to reporting to OCR as soon as possible any breach of protected health information (PHI) affecting 500 or more individuals, OCR recommends in its checklist that a health care organization experiencing a cyberattack or similar emergency do the following:

  • Execute its response and mitigation procedures and contingency plans;

  • Report the crime to other law enforcement agencies; and

  • Report all cyber threat indicators to the appropriate federal and information-sharing and analysis organizations.

The OCR guidance materials also encourage health care organizations to share threat, attack and vulnerability information with each other in order to reduce the threat of ongoing harm.

Securing the information exchange of health data is a significant challenge. OCR is vocalizing its awareness of this challenge by urging health care organizations to pursue security preparedness, responsiveness and consequence management in order to minimize the impact of any breaches.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VII, Number 194


About this Author

Emily Maus, Dinker Biddle Law Firm, Energy Law Attorney

Emily J. Maus assists in clean energy project development, including the structure and development of microgrids and on-site generation. She has experience in a variety of energy procurement matters and energy transactions and advises clients in energy and life science industries on international, federal, and state regulatory compliance. Her work also includes assisting health care systems, hospitals, and life sciences companies with various regulatory and transactional matters.

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at the Hastings Center where she researched Medicare reimbursement.

Krissa Webb, Drinker Biddle Law Firm, Health Care Attorney

Krissa Webb assists health care systems, hospitals, and life sciences companies on a variety of corporate transactions and regulatory compliance matters, including fraud and abuse risks and patient privacy issues arising under HIPAA/HITECH. She also advises a number of clients in the life sciences industries on the implications of U.S. and international privacy regulations for strategic business initiatives and partnerships.