OCR Issues a Cyberattack Response 'Checklist'Meanwhile, Congress Examines HHS' Role in Boosting Cybersecurity in Healthcare
Federal regulators have issued new materials to aid healthcare organizations and their vendors in their "quick response" to cyberattacks.
See Also: HIPAA Audits: A Revised Game Plan
The checklist and infographic from the Department of Health and Human Services' Office for Civil Rights are part of HHS' ongoing campaign to help improve awareness and especially readiness of healthcare sector entities in dealing with escalating cyberattacks.
Meanwhile, Congress is scrutinizing HHS' role in helping the healthcare sector improve its cybersecurity capabilities.
"Clearly, the [healthcare] sector needs leadership. HHS is uniquely situated to fill this void. Historically, the department has struggled to effectively embrace this responsibility, but that trend cannot continue," noted Greg Walden, R-Oregon, chairman of the House Subcommittee on Oversight and Investigations, during a June 8 hearing.
The hearing came on the heels of HHS issuing on June 2 a new report to Congress - as called for under the Cyber Information Sharing Act of 2015 - containing more than 100 recommendations for steps the healthcare sector can take to bolster cybersecurity.
In joint written testimony submitted to the subcommittee, HHS officials told Congressional leaders that during the recent Wannacry ransomware attacks, HHS, in coordination with the Department of Homeland Security's National Cybersecurity and Communications Integration Center "crafted an immediate response to engage the broader healthcare sector and ensure that IT security practitioners had the information they needed to protect against, respond to, and report WannaCry intrusions on their networks."
The HHS officials, in their joint written testimony, added: "While this was the first time HHS had organized itself in this way for a cybersecurity incident, we believe that it has set a standard on how to manage cybersecurity incidents in this era of heightened consequences and in support of the National Cyber Incident Response Plan."
As part of HHS' activities during the recent Wannacry crisis, the department also sent a series of email alerts and hosted a number of conference calls with thousands of industry stakeholders participating over a stretch of several days (see HHS Ramps Up Cyber Threat Information Sharing).
Still, those cyber-related efforts need to grow, HHS officials told Congress. "Private and public partnerships are essential, and we can't just stand them up in emergencies," testified Steve Curren, director of the division of resilience at HHS' office of emergency management.
Later this month, HHS expects to launch its Healthcare Cybersecurity Communications Integration Center, which is modeled on the design of the Department of Homeland Security's NCCIC. The new center has three goals: improving engagement across HHS operating divisions; strengthening reporting and increasing awareness of the healthcare cyber threats across the HHS enterprise; and enhancing public-private partnerships through engagement and outreach, the HHS officials testified.
OCR says its new checklist and infographic "explains the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident."
In the event of a cyberattack or similar emergency, OCR urges that organizations:
- Execute response and mitigation procedures and contingency plans, such as immediately fixing any technical or other problems to stop the incident;
- Report the crime to other law enforcement agencies, which may include state or local law enforcement, the FBI or the Secret Service;
- Report all cyber threat indicators to the appropriate federal and information-sharing and analysis organizations;
- Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, as required under the HIPAA Breach Notification Rule.
Helping Smaller Organizations
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, says the new guidance should prove helpful, especially to smaller organizations with limited budgets. "This is a guidance document to help CEs and BAs to better understand the steps to take to respond to a security incident. It puts together in a more meaningful type of practice list how to do so while also supporting HIPAA and HITECH Act requirements."
But Kate Borten, president of the privacy and security consulting firm The Marblehead Group, says the checklist and infographic won't prove very helpful to those organizations that have more mature security programs.
"We hope most CEs and BAs are well past this point in their response maturity. But if not, the checklist steps mask deeper processes that are in danger of being overlooked or done improperly - for example breach risk assessment," Borten says.
To bolster the information OCR contained in its new checklist and infographic, Herold suggests that the agency also should:
- Emphasize that breach response does not end after the reports and notices have been issued and highlight the importance of monitoring for other breaches as well as mitigating vulnerabilities;
- Include a link to a page on the HHS site that lists the agencies and departments where breach reports need to be submitted;
- Add a pointer to a page on the HHS site that provides examples of common, along with some not-so-common threat indicators.
- Point out that in addition to HIPAA and HITECH Act requirements, covered entities and business associates must comply with state breach notification laws and any contractual requirements for breach response.