Tips for Responding to Cyber-Related Security Incidents
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has released a quick-response checklist briefly describing the steps that HIPAA-covered entities (including medical and dental offices) and their business associates should take in response to a cyber-related security incident. Steps include:
- Executing the entity’s response and mitigation procedures and contingency plans, such as immediately fixing any technical or other problems to stop the incident;
- Reporting the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service;
- Reporting all cyber-threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response (any reports should not include protected health information); and
- Reporting the breach to the OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notifying affected individuals and the media unless a law enforcement official has requested a delay in the reporting.
Note: OCR considers all mitigation efforts taken by the entity during any particular breach investigation. Such efforts include the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations.
Click here to read the entire cyber-attack checklist.
Please visit our HIPAA section for more on the law’s requirements.