In May, the global WannaCry ransomware attacks resulted in more than 230,000 computers being infected and encrypted. There were also a high number of other IT security incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
The increase in attacks and data breaches prompted OCR to confirm the HIPAA definition of a security incident, which types of attacks are reportable, how covered entities should prepare for such an incident, and the correct response to a security breach.
The HIPAA Security Rule requires covered entities to take steps to prevent cyberattacks and other security incidents. Covered entities must implement technical, physical, and administrative safeguards to preserve the confidentiality, integrity and availability PHI.
However, even covered entities that have met those requirements can experience security incidents involving PHI. Robust, multi-layered cybersecurity defenses will not make covered entities immune to attack. It is therefore essential to have a tested, breach response plan that can be implemented as soon as a security incident is discovered, otherwise valuable time will be lost.
Organizations must also be aware of the HIPAA definition of a security breach. It has come to OCR’s attention that many covered entities are confused about the definition of a HIPAA security incident and when the HIPAA Breach Notification Rule applies. Recent ransomware attacks on healthcare organizations have been reported by the media, yet OCR has received no breach notice and patients have not been informed that their ePHI has been accessed.
In its May Cybersecurity Newsletter, OCR explains that the HIPAA Security Rule classes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
OCR reminded covered entities that a ransomware attack that results in unsecured ePHI being encrypted counts as an unauthorized access and disclosure. The HIPAA Breach Notification Rule requires OCR and affected individuals to be notified.
The deadline for reporting security incidents is 60 days from the discovery of the incident, although that is the absolute deadline. Covered entities must not unnecessary delay the issuing of notices and should not wait until a couple of days before the deadline to send notifications. That would be a HIPAA violation.