Cyber-Attack Response for HIPAA-Covered Entities and Business Associates
In light of WannaCry and other highly visible data breaches, HHS's Office of Civil Right (OCR) recently released a checklist along with an infographic for covered entities and their business associates to utilize as a guide on what to do in the unlikely event of a cyber-attack. The guide and related infographic can be obtained from here: https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf https://www.hhs.gov/sites/default/files/cyber-attack-quick-response-infographic.gif The guide outlines four mandatory actions to be taken: 1) The entity must execute its response and mitigation procedures and contingency plans. 2) The entity should report the crime to other law enforcement agencies. 3) The entity should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). 4) The entity must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals. The guide re-iterates the requirements established HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Breach Notification Rule, HIPAA Enforcement Rule, and others including Cybersecurity Information Sharing Act. The checklist also provides insights to mandatory requirements but are often overlooked by small and medium entities, such as, having contingency planning and incident response capabilities, documented procedures and testing, and maintain ongoing updates.