Cyber_securityThe U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks.  The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks.  Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.

OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack.  Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:

  1. Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;
  2. Report the breach to local and federal law enforcement;
  3. Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and
  4. Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised.  If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.

Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.

It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA.  Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws.  Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.

Cyber_securityLast week’s massive ransomware attack should serve as a wake-up call that companies across all industries, including and perhaps especially the health care industry, must take the threat of global ransomware seriously.

The WannaCry attack reportedly crippled some of the computer systems of the U.K.’s National Health Service (NHS), forcing emergency room closures and the cancellations of patient appointments and medical procedures throughout the U.K., before spreading rapidly around the world to the computer networks of businesses and organizations in a variety of industries and regions.

The attack on the NHS echoed attacks in early 2016 on U.S. healthcare providers, including the February 2016 ransomware attack on the Hollywood Presbyterian Medical Center in California, which was forced to pay hackers approximately $17,000 in bitcoins to restore access to patient data and computer systems.  The WannaCry attack comes after the July 2016 announcement by the Department of Health and Human Services Office of Civil Rights (OCR) that it will consider ransomware attacks to constitute potential breaches of the Health Insurance Portability and Accountability Act (HIPAA) if confidential patient data is compromised, adding the prospect of enforcement actions and penalties for health care providers who find themselves to be the victims of ransomware attacks.

In a recent Clients & Friends Memo, we examine the nature of the threat posed by ransomware, what happened in the WannaCry attack, and three key lessons that have emerged for all businesses seeking to protect themselves:

  • First, as ransomware attacks continue to be successful, they will increase in frequency and scale.
  • Second, the WannaCry attack might have been prevented if companies had been more diligent about implementing basic cybersecurity practices, such as patching software vulnerabilities and training staff to detect phishing emails, i.e., emails that appear legitimate but contain links or files that deploy computer viruses if opened.
  • And, third, companies that fail to take reasonable measures to prevent attacks might find themselves to be the subject of costly regulatory enforcement actions or private litigation.

Read our full Clients & Friends Memo.