OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
OCR recommends taking the following steps in case of a cyber attack:
- First and foremost, fix the problem and mitigate any impermissible disclosures of protected health information (PHI). If the attack is still ongoing, the entity must try to stop the incident and fix technical or other issues that permitted the attack. The entity should already have in place response and mitigation procedures and then carry them out accordingly. Proper training and education for employees or other individuals at the entity in charge of executing such procedures are critical in quickly and effectively stopping the problem and lessening further access to PHI. OCR points out that any outside entities used to carry out the response and mitigation are considered Business Associates if they have must access PHI for such duties.
- Report the incident to appropriate law enforcement agencies. It is important to report the crime to law enforcement before reporting to OCR (if required) or any other organization because the entity must delay reporting the breach if the reporting would impede a criminal investigation or harm national security. Entities should be careful not to disclose PHI in reports to law enforcement unless the disclosure is expressly permitted by the Privacy Rule. The Privacy Rule does permit Covered Entities and Business Associates to disclose PHI to law enforcement without the individual’s written authorization, but specific conditions must be met.
- Report “cyber threat indicators” to information-sharing and analysis organizations (ISAOs). While reporting to ISAOs is not required, the Cybersecurity Information Sharing Act of 2015 (“CISA”) encourages entities to voluntarily report cyber threat indicators to certain federal agencies, state and local governmental bodies, and private entities so that such organizations are made aware of possible or actual threats or vulnerabilities and their potential harms. Cyber threat indicators include:
- any information necessary to describe or identify malicious reconnaissance;
- methods of defeating a security control or exploitation of a security vulnerability;
- a security vulnerability;
- methods of causing a user with legitimate access to defeat a security control or exploitation of a security vulnerability;
- malicious cyber command and control; a description of actual or potential harm caused by an incident;
- any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; and
- any combination of the foregoing threats.
This type of information does not generally include or require disclosure of PHI, so PHI should not be disclosed in these reports unless permitted under the Privacy Rule. In exchange for reporting such information, CISA protects entities from liability when such information-sharing complies with the law’s requirements. Accordingly, OCR’s checklist notes that OCR does not receive any ISAO reports from its federal or agency partners.
- Finally, determine if a reportable breach has occurred and report the breach to OCR as soon as possible. All cyber-related security incidents involving unencrypted PHI are presumed to be reportable breaches unless the entity determines through a written risk assessment that the likelihood of impermissible use or disclosure of PHI was low. Therefore, the entity must document a written risk assessment if it determines that no reportable breach has occurred. As a reminder, breaches affecting 500 or more individuals must be reported to OCR, the affected individuals, and the media no later than 60 days after discovery; breaches affecting fewer than 500 individuals must be reported to the affected individuals no later than 60 days after discovery but may be reported to OCR within 60 days after the end of the calendar year in which it was discovered. As we’ve previously discussed on the blog, OCR takes timely notification of breaches seriously and announced its first settlement related to a Covered Entity’s untimely breach notification in January.