Recent HHS Activity Following International Cyber Attacks
by: Kristen Andrews Wilson of Steptoe & Johnson PLLC  -  Know How: Alert
Thursday, August 24, 2017
cybersecurity button, wannacry, hhs, ocr
Print Mail Download i

Following recent international cyber attacks, the U.S. Department of Health and Human Services (HHS) has issued warnings to healthcare organizations, provided a cyber attack checklist, and launched its revised HIPAA Breach Reporting Tool (HBRT). 

HHS Response to WannaCry Ransomware

In response to the WannaCry ransomware attack, HHS reminded healthcare organizations of its prior guidance that the HHS Office for Civil Rights (OCR) presumes a breach in the case of a ransomware attack.  The entity must determine whether the breach is reportable no later than 60 days after the entity knew or should have known of the breach.  According to the Breach Notification Rule, a breach notification is required unless the healthcare organization can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: the nature and extent of the PHI involved, the identity of the unauthorized person who used the Protected Health Information (PHI) or to whom the disclosure was made, whether the PHI was actually viewed or acquired, and the extent to which the risk to the PHI has been mitigated.

If the data was not encrypted by the entity to at least National Institute of Standards and Technology (NIST) specifications when the ransomware attack was deployed, OCR presumes a breach occurred. In that situation, the entity would need to prove that the electronic Protected Health Information (ePHI) was encrypted when the attack occurred and the ransomware containerized (encrypted again) the already encrypted ePHI. 

OCR Quick Response Cyber Attack Checklist

In early June, OCR announced the release of its Quick Response Cyber Attack Checklist, which includes the following four steps for entities experiencing a cyber attack:

  1. The entity must execute its response and mitigation procedures as well as its contingency plans.  The entity should fix technical and other problems in order to stop the attack and take steps to mitigate impermissible disclosures of PHI.  Outside vendors may be brought in to offer assistance. 

  2. The entity should report the incident to law enforcement agencies including state or local law enforcement, the FBI, and/or the Secret Service. Any such report should not include PHI unless permitted by the HIPAA Privacy Rule.

  3. The entity should report all cyber threat indicators to federal ISAOs (information-sharing and analysis organizations), without disclosing any PHI.

  4. The entity must meet its OCR reporting obligations and individual and/or media notification obligations in a timely manner.  It is important to note that “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach.”

Revised HBRT

In late July, HHS announced the launch of its revised HBRT.  The revised HBRT includes the following features designed to assist the healthcare industry:

  • Easier incident reporting; and

  • Educational information for industry regarding incidents that are occurring as well as information about how breaches may be resolved, which can assist organizations within the healthcare industry with their efforts to improve their security preparedness. 

A look ahead…

On September 5-6, 2017, HHS, OCR, and the National Institute of Standards and Technology will co-host the 10th annual conference, “Safeguarding Health Information: Building Assurance Through HIPAA Security” in Washington, D.C. 

© Steptoe & Johnson PLLC. All Rights Reserved.

Current Legal Analysis

More from Steptoe & Johnson PLLC

Gas Pipeline Methane Emissions Under Congressional Scrutiny; PHMSA Issues Proposed Rulemaking Concerning Leak Detection and Repair
by: Kurt L. Krieger , Kevin W. Hivick Jr.
Federal Court to Reexamine Merits of a Nationwide Injunction to Tip Credit Rule
by: Allison B Williams , Ashley Faulkner
Supreme Court Limits the Use of Federal Administrative Law Judges; Related FERC Cases Pending
by: Kurt L. Krieger , Kevin W. Hivick Jr.
SCOTUS Redefines the Bounds of the Clean Water Act with Its Decision in Sackett v. United States
by: Armando Benincasa , Allyn G. Turner
NLRB Issues Complaint for Athlete Misclassification against NCAA, Pac-12, and USC
by: Michael J. Moore , John R. Merinar, Jr.
NLRB Gives Workers Greater Leeway to Engage in Abusive Conduct
by: Michael J. Moore , Ashley Faulkner
NLRB ‘Will Not Stop Short’ in Imposing Remedies for Failure to Bargain
by: Michael J. Moore , Anna Pugh
Qualifying for the Employee Retention Credit and Partial Shutdowns
by: Christine M. Green
Pennsylvania Lawmaker Introduces Bill to Provide for a Community Solar Program
by: Brian J. Pulito , Jon C. Beckman
NLRB Provides Guidance on Confidentiality & Non-Disparagement Clauses
by: Mark G Jeffries

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins