READ TIME: 7 MINUTES
The HHS Office for Civil Rights (OCR) recently reported that a national cybersecurity firm observed a 42% increase in cyber-attacks for 2022 compared to 2021, and a 69% increase in cyberattacks specifically targeting the healthcare sector. Further, breaches of unsecured protected health information (PHI), including ePHI, affecting 500 or more individuals and reported to OCR increased from 663 in 2020 to 714 in 2021, with 74% of reported breaches involving hacking or information technology (IT) incidents. OCR noted that hacking is now the greatest threat to the privacy and security of PHI in the healthcare sector and that timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.
As we have recently completed National Cybersecurity Awareness Month, now is a great time for group health plans subject to the HIPAA Security Rule to review their policies and procedures that address security incidents to make sure they follow the guidelines OCR recently reiterated.
Regulated entities must implement and document their plan for responding to security incidents (suspected or known) to include:
- Identifying security incidents
- Responding to security incidents
- Mitigating harmful effects of security incidents
- Documenting security incidents and their outcomes
In preparing their security incident response process, regulated entities like group health plans should consider forming a security incident response team that is organized and trained to effectively respond to security incidents. Among the items to consider in forming a team are:
- Selecting a team structure and staffing
- Establishing relationships and lines of communication between the security incident response team and other internal and external resources
- Identifying internal groups that may need to participate in incident handling (management, IT support, legal, public affairs and communications, human resources, business continuity/disaster recovery, physical security, facilities management)
- Identifying points of contact at external groups that may be helpful to include in the event of an incident (network service providers, software and hardware vendors, local and federal law enforcement, incident handling teams of business partners and customers)
- Determining what services the security incident response team should provide (such as intrusion detection, advisory distribution, education and awareness, information sharing)
The security incident response team should regularly test its security incident procedures. This could involve conducting tests involving different types of potential security incident scenarios like a cyber-criminal’s infiltration and deployment of ransomware, for example. Updating security incident procedures based on this testing will help protect against, and improve efficiency in responding to, actual security incidents.
The HIPAA Security Rule regulations also require a regulated entity to:
- Identify the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- Maintain and regularly review audit
- Implement hardware, software, and procedural mechanisms to record and examine access and other activity in information systems that contain or use electronic protected health information.
- Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
When responding to a security incident, a regulated entity should contain the security incident and any threat it may pose to ePHI and take appropriate action to ensure the confidentiality, integrity, and availability of its ePHI by:
- Determining the nature and extent of the damage caused by the security
- Identifying and removing any malicious code and components that the security incident may have left
- Mitigating any vulnerabilities that may have permitted the security incident to
- Collecting and preserving data relevant to investigating the security incident, such as log files, registry keys, and other artifacts.
After the security incident has been neutralized and any malware removed, the next steps should include mitigating the harmful effects of the security incident including recovery and restoration of systems and data to return to normal operations. The HIPAA Security Rule requires that regulated entities establish a contingency plan to include data backup and recovery processes.
Frequent backups and verification of the integrity of the backed-up data are crucial to being able to recover data that may have been deleted or had its integrity compromised as a result of a security incident. Backup logs should be reviewed regularly, and test restorations of backups conducted periodically to ensure the integrity of backups and provide confidence in the regulated entity’s ability to restore its data. Because some malware, including some ransomware variants, are known to delete or otherwise disrupt online backups, regulated entities should consider maintaining at least some of their backups offline and unavailable from their networks.
Once a security incident has ended, systems and data have been restored, and operations have returned to normal, regulated entities should document their response and analysis into a record of the security incident. A regulated entity’s security incident procedures should include a section on documenting security incidents and what information to include in the documentation (e.g., discovery of the security incident, systems and data affected, response and mitigation activities, recovery outcomes, root cause analysis, forensic data collected).
Finally, when considering their security incident procedures and how to respond to security incidents, regulated entities must understand their duty to report breaches of unsecured PHI. The Breach Notification Rule requires covered entities to report breaches affecting 500 or more individuals to the affected individuals, to OCR, and (in certain cases) to the media without unreasonable delay and no later than 60 calendar days from the discovery of the breach. Covered entities are required to report breaches affecting fewer than 500 individuals to the affected individuals without unreasonable delay and no later than 60 calendar days from the discovery of the breach, and to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.
The policies and procedures regulated entities create to prepare for and respond to security incidents can pay dividends in the long run with faster recovery times and reduced compromises of ePHI. A well-reasoned, well- tested security incident response plan is integral to ensuring the confidentiality, integrity, and availability of a regulated entity’s ePHI.
This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.