HHS Cybersecurity Guidance - You Still Have Work to Do
The U.S. Department of Health and Human Services Office for Civil Rights ("HHS") recently issued a quick response checklist to outline steps a HIPAA covered entity or business associate should take in response to a cyber-related security incident. The HHS checklist offers general, step-by-step guidance for healthcare providers in the event of a security incident that includes: (1) immediately executing response procedures and contingency plans to fix technical problems to stop a security incident; (2) reporting a security incident to appropriate law enforcement agencies; (3) reporting all cyber threat indicators to federal and information-sharing analysis organizations; and (4) reporting a breach to the HHS as soon as possible (but no later than 60 days after the discovery of a breach affecting 500 or more individuals).
While the HHS checklist is certainly a practical resource for healthcare providers, it does not (and absolutely should not) alleviate a healthcare provider's responsibility to create, implement, and continuously test/update an incident response plan ("IRP") tailored to that provider's circumstances and vulnerabilities. Relying solely on the HHS checklist without an IRP will surely result in panic-based reactions with no structure to guide next steps when a cyber-related security incident inevitably occurs. Further, because of the strict requirements contained in the HIPAA Security Rule - including a duty to identify and respond to security incidents, mitigate harmful effects, and document security incidents and outcomes - a healthcare provider must be particularly vigilant in being cyber-prepared.
Effective and adequate cybersecurity requires early preparation to ensure an appropriate and effective response later. The HHS checklist, though helpful, should be viewed merely as one of a multitude of best practice guides issued by federal agencies for health care providers and other businesses in developing and implementing cybersecurity measures. For more information about how to best respond to a cyber-related security incident and protect your business against a cyber-attack, see the Department of Justice's Incident Response Procedure Instructions or the Federal Trade Commission's Data Breach Response Guide. Please contact Jonathan Klein at (215) 640-8535 | firstname.lastname@example.org or another member of Clark Hill's Cybersecurity team if you have any questions.