Healthcare data contain valuable rich information, and this is why healthcare organizations continue to be a prime target for cybercriminals. Due to the evolution of cyber-attacking methods, healthcare organizations are facing tougher challenges with each day passing by. And healthcare providers must protect their patients’ protected health information (PHI) to abide by the rules of HIPAA.
That said, HIPAA established long before cybersecurity came into existence, meaning the safeguards aren’t centered around cybersecurity requirements. Hence, healthcare providers do not understand how they should respond when they encounter a breach through cyber attacks.
To top it, data breaches involving healthcare have increased at an alarming rate. Over 41 million patient records the breached in 2019 alone, affecting nearly 21 million records in a single hacking incident. Very much alarming indeed.
So what should hospitals do, in fact, not if, when they experience a cyber attack? Let’s take a look at the cyber-attack response checklist issued by the Office for Civil Rights (OCR).
In the event of a cyber-attack or similar incident, an entity:
Must Enact its Response and Mitigation Procedures and Contingency Plans
For instance, the healthcare provider should immediately remediate any technical or other problems to stop the incident. The provider should also take appropriate steps to lessen any impermissible disclosure of protected health information (PHI). It will do by the provider’s internal IT team or by a third-party. In this case, the third party is a business associate if it has access to PHI for that purpose.
Should Notify Other Law Enforcement Agencies
The provider can report it to the state or local law enforcement agencies, such as the Federal Bureau of Investigation (FBI), and/or the Secret Service. It must be noted that any such reports must not include any PHI unless otherwise permitted by the HIPAA Privacy Rule. Also, if a law enforcement official tells the provider that any potential breach report would hinder a criminal investigation or harm national security, then the provider must delay reporting a breach for as long as the officials request in writing, or for 30-days if the request is made orally.
Should Report All Cyber Threat Indicators
OCR in its cybersecurity requirements, advises providers to report cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), and even the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, including private-sector cyber-threat ISAOs. Note that any such reports must not include any PHI.
Must Notify the Breach to the OCR as Soon as Possible
This step is per the HIPAA Breach Notification Rule. In the event of a breach, a provider must notify OCR about the breach no later than 60 days after the discovery of a breach affecting 500 or more individuals. The provider must also notify the affected individuals unless a law enforcement official or the media requests to delay the reporting. According to the HIPAA law, all security incidents, including cyber-related where PHI was accessed, acquired, used, or disclosed are reportable breaches. But it is not a reportable breach if the entity had encrypted the information, or through a written risk assessment, the entity determines that there was a low probability that the information was compromised during the incident.
In case the breach affects fewer than 500 individuals, the entity must notify the affected parties without unreasonable delay. But it’s no later than 60 days after the discovery. The provider must also notify the OCR within 60 days after the end of the calendar year in which the breach discovered.
Summing It Up
There has no reason to get dispirited when a breach related to cybersecurity occurs. Because of any efforts, you made to mitigate the breach. And it remediates the effects that will be considered by the OCR during a particular breach investigation.
Also Read –