OCR Explains How Protected Units Must React to a Cyberattack

June 14, 2017


The healthcare industry is under attack from malicious insiders and hackers. Systems are being undermined at a higher rate than ever before. Last year witnessed record numbers of HIPAA breaches informed to OCR and the tendency has continued in 2018. This year seems like it will be one more record-breaking year for HIPAA breaches.

With cyberattacks and other safety occurrences much more likely to happen, it is now more vital than ever that HIPAA-protected units know how to react when an attack happens. A quick reaction can decrease the effect of the breach and the harm experienced by consumers. However what is the proper way to react to a cyberattack? What are the measures that must be followed when systems are breached?

OCR has provided additional help for protected units in the shape of a checklist. The checklist is a practical reminder of the proper series of actions in an efficient breach reaction.

To react swiftly, it is vital to be prepared. By the time a breach happens, it is too late to prepare a plan. Precious time will be lost. Protected units should, therefore, make sure they have reaction and alleviation procedures that can be instantly applied when a cyberattack is noticed.

OCR reminds protected units that the first step should be to make sure ePHI is safeguarded and access to data is obstructed. Protected units should avoid the impermissible disclosure of PHI. In the instance of a hack, that implies segregating the affected appliance(s) from the network, obstructing access to ePHI and avoiding any data from being exfiltrated.

Healthcare companies with in-house cybersecurity workforce might be able to safeguard their PHI, even though there are several third-party cybersecurity companies that can help in this respect. As part of breach reaction planning, protected units must identify the organization(s) that can help in this respect so they can be communicated swiftly after a breach. Keep in mind that HIPAA business associate agreements will have to be obtained beforehand, as those businesses will be required to access systems having ePHI.

The second phase is informing the occurrence to law enforcement. Protected units must notify the FBI and/or the U.S. Secret Service and regional law enforcement. Although details of the breach must be informed, protected units should make sure that any shared information doesn’t contain PHI.

Threat indicators must then be shared with the HHS Assistant Secretary for Preparedness and Response, information sharing and analysis organizations (ISAOs), and the Department of Homeland Security, again taking care not to disclose any ePHI.

The cyberattack should be probed and impacted people should be known. Those people should be informed of the breach within 60 days after the breach is found, even though notices must be issued as soon as possible and without unnecessary delay.

OCR should also be informed within 60 days – and without unnecessary delay – if the breach impacts over 500 people. Smaller breaches should be informed within 60 days of the end of the calendar year.

OCR reminds protected units that “All cyber-related safety occurrences where protected health information was retrieved, acquired, used, or unveiled are reportable breaches unless the information was encrypted by the unit at the time of the occurrence.”