Last week, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) released new guidance on reporting and monitoring cyber threats. The guidance urges covered entities and business associates to report suspicious activity, including cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT). US-CERT is an organization within the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) that is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. It is operational 24 hours a day, and accepts, triages, and collaboratively responds to incidents.
In addition to reporting to US-CERT, OCR urges covered entities and business associates to monitor US-CERT's website for reports on vulnerabilities. Covered entities and business associates can also receive these reports via email by visiting the organization's Mailing List and Feeds site. Subscriptions are available to Weekly Vulnerability bulletins, Technical Alerts, Current Activity Entries, and Tips. These subscriptions provide up-to-date information on new vulnerabilities and risks as well as patches and suggested mitigation steps when available.
OCR points out that US-CERT's information can be leveraged as part of a covered entity's or business associate's security management process. To refresh our readers' recollections, HIPAA requires covered entities and business associates to implement administrative safeguards to protect electronic protected health information (ePHI). One of these safeguards is a security management process that includes, among other things, a risk analysis and certain risk management activities.
OCR points to the NCCIC's report on the Grizzle Steppe attack as an example of the type of information that would be helpful to those in the healthcare industry. However it's not hard to find other US-CERT materials that can assist HIPAA-regulated entities in securing their ePHI. For example, a previous alert addresses ransomware attacks that continue to plague the healthcare industry.