The healthcare industry is under attack from hackers and malicious insiders. Systems are being compromised at a greater rate than ever before. Last year saw record numbers of HIPAA breaches reported to OCR and the trend has continued in 2017. This year looks like it will be another record-breaking year for HIPAA breaches.
With cyberattacks and other security incidents much more likely to occur, it is now more important than ever that HIPAA-covered entities know how to respond when an attack occurs. A fast response can reduce the impact of the breach and the harm suffered by consumers. But what is the correct way to respond to a cyberattack? What are the steps that should be followed when systems are breached?
OCR has provided further guidance for covered entities in the form of a checklist. The checklist is a handy reminder of the correct sequence of actions in an efficient breach response.
In order to respond quickly, it is essential to be prepared. By the time a breach occurs it is too late to formulate a plan. Valuable time will be lost. Covered entities must therefore ensure they have response and mitigation procedures that can be immediately implemented when a cyberattack is discovered.
OCR reminds covered entities that the first step must be to ensure ePHI is secured and access to data is blocked. Covered entities must prevent the impermissible disclosure of PHI. In the case of a hack, that means isolating the affected device(s) from the network, blocking access to ePHI and preventing any data from being exfiltrated.
Healthcare organizations with in house cybersecurity staff may be able to secure their PHI, although there are many third-party cybersecurity firms that can assist in this regard. As part of breach response planning, covered entities should identify the firm(s) that can assist in this regard so they can be contacted quickly following a breach. Bear in mind that HIPAA business associate agreements will need to be obtained in advance, as those companies will be required to access systems containing ePHI.
The second stage is reporting the incident to law enforcement. Covered entities should alert the FBI and/or the U.S. Secret Service and local law enforcement. While details of the breach should be reported, covered entities must ensure that any shared information does not include PHI.
Threat indicators should then be shared with information sharing and analysis organizations (ISAOs), the HHS Assistant Secretary for Preparedness and Response, and the Department of Homeland Security, again taking care not to disclose any ePHI.
The cyberattack must be investigated and impacted individuals must be identified. Those individuals must be notified of the breach no later than 60 days after the breach is discovered, although notifications should be issued as soon as possible and without unreasonable delay.
OCR must also be notified within 60 days – and without unreasonable delay – if the breach impacts more than 500 individuals. Smaller breaches must be reported within 60 days of the end of the calendar year.
OCR reminds covered entities that “All cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”
A summary of a correct breach response has been detailed in this infographic.