Last month, after the WannaCry ransomware attack infected 230,000 computers in 150 countries, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a "Quick-Response Checklist" for HIPPA covered entities and business associates to follow when responding to a ransomware attack or other "cyber-related security incident," as that phrase is defined under the HIPAA Security Rule. 45 C.F.R. 164.304.
The checklist provides four recommendations:
- Execute the response and mitigation procedures and contingency plans. Entities should immediately fix any technical or other problems to stop the incident and take steps to mitigate any impermissible disclosure of protected health information (either done by the entity's own information technology staff, or by an outside entity brought in to help).
- Report the crime to other law enforcement agencies. This includes state or local law enforcement, the FBI, or the Secret Service. The OCR makes clear that any such report should not include protected health information (unless otherwise permitted by the HIPPA Privacy Rule).
- Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). A cyber threat indicator is defined under federal law as information that is necessary to identify malicious cyber activity. The US Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs are all identified as acceptable information-sharing organizations under the new checklist. The OCR, however, makes clear that it does not receive reports from its federal or HHS partners.
- Report the breach to OCR as soon as possible, "but no later than 60 days after the discovery of a breach affecting 500 or more individuals." Entities should notify "affected individuals and the media unless a law enforcement official has requested a delay in the reporting." The OCR also presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery. And the OCR must be notified within 60 days after the end of the calendar year in which the breach was discovered.
In the end, the OCR states that it considers "all mitigation efforts taken by the entity during any particular breach investigation," including the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations, as outlined in the checklist.
The OCR's checklist makes clear that preparing for, and responding quickly to any potential breach should be a priority for HIPPA covered entities and their business associates. This includes preparing or updating enterprise wide incident response plans, training leadership, implementing effective governance programs, and having the ability to rapidly mobilize a response to malicious activity. Dentons' global Privacy and Cybersecurity Group, in conjunction with Dentons' leading healthcare practice, has extensive experience helping entities prepare and execute such plans and dealing with the rapidly changing legal and regulatory landscape that emerges in the aftermath of a security incident.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.