Privacy & Information Security Law Blog

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Health Care Industry Cybersecurity Task Force (the “Task Force”) have published important materials addressing cybersecurity in the health care industry.

The OCR checklist, entitled “My entity just experienced a cyber-attack! What do we do now?,” lists key steps that an organization must undertake in the event of a cyber attack. These steps include:

• executing response and mitigation procedures and contingency plans by immediately fixing technical and other problems to stop a cybersecurity incident, and taking steps to mitigate any impermissible disclosure of protected health information (“PHI”);
• reporting the crime to law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation or the Secret Service;
• reporting all cyber threat indicators to federal and information-sharing and analysis organizations (“ISAOs”), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber threat ISAOs; and
• notifying OCR of the breach as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

The checklist is accompanied by an infographic that lists these steps and notes that an organization must retain all documentation related to the risk assessment following a cyber attack, including any determination that a breach of PHI has not occurred.

The Task Force, which was established in 2015 by Congress, is composed of government officials and leaders in the health care industry. The Task Force’s report notes that “health care cybersecurity is a key public health concern that needs immediate and aggressive attention” and identifies six key imperatives for the health care industry. These imperatives are:

• defining and streamlining leadership, governance and expectations for health care industry cybersecurity;
• increasing the security and resilience of medical devices and health information technology;
• developing the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;
• increasing health care industry readiness through improved cybersecurity awareness and education;
• identifying mechanisms to protect research and development efforts and intellectual property from attacks or exposure; and
• improving information sharing of industry threats, risks and mitigations.

The report lists recommendations and action items under each of these six imperatives. These include (1) evaluating options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments), (2) developing executive education programs targeting executives and boards of directors about the importance of cybersecurity education, and (3) requiring strong authentication to improve identity and access management for health care workers, patients, medical devices and electronic health records.

The report concludes by providing a list of key resources and best practices for addressing cybersecurity threats that were gleaned from studying the financial services and energy sectors.

The publication of these cybersecurity materials follows in the wake of several notable cyberattacks, including the WannaCry ransomware attack that affected thousands of organizations in the health care industry.