Have you just experienced a ransomware attack or other cybersecurity incident, you may be wondering what to do next? Fortunately, the HHS, Office for Civil Rights (OCR) has provided a quick response checklist that explains step by step what a HIPAA covered entity or its business associate should do in response to an incident.
In the event of a cyber-attack or similar emergency an entity should:
- Execute Response and Contingency Plans- An entity should execute its response and contingency plans. They should immediately fix any technical issues to stop the incident. The entity should take every step necessary to mitigate the disclosure of protected health information.
- Report the Crime to Law Enforcement- An entity should report the crime to law enforcement agencies, including state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service. If a law enforcement official informs the entity that the report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing, or for 30 days, if the request is made orally.
- Report cyber- threat indicators to federal and information-sharing and analysis organizations (ISAOs)- including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
- Report the breach to OCR – An entity should report the violation to OCR as soon as possible, and no later than 60 days after the discovery of a breach affecting 500 or more individuals. An entity must also notify those affected and the media unless a law enforcement official has requested a delay in the reporting. An entity that discovers a breach affecting fewer than 500 individuals must notify the individuals without unreasonable delay, no later than 60 days after discovery. They must also inform OCR within 60 days after the end of the calendar year in which the breach was discovered.