[BreachExchange] Five Takeaways from the OCR Reminder on HIPAA Obligations In Ransomware Incidents

Wed Jul 12 19:09:13 EDT 2017

http://www.jdsupra.com/legalnews/five-takeaways-from-
the-ocr-reminder-on-97322/

Apparently prompted by the recent high-profile wave of ransomware attacks,
the Department of Health and Human Services’ Office of Civil Rights (OCR)
has reminded hospitals, healthcare systems, and other covered entities and
business associates of their cybersecurity obligations. The reminder
follows a previous warning that unless the affected covered entity or
business associate can establish that there is a low probability that
personal health information (PHI) has been compromised, a breach is
presumed to have occurred.

OCR’s reminder reiterated that the HIPAA Breach Notification Rule defines a
breach as the impermissible acquisition of, access to, use of, or
disclosure of PHI. Under these criteria, most ransomware incidents would be
considered breaches absent an affirmative showing, under a high evidentiary
standard, that specific safe harbors apply.

Second, if the ransomware incident implicates the Breach Notification Role,
OCR emphasized that patients, regulators, and in certain instances, the
media must be notified within the regulatory guidelines. The guidelines
provide for notice “without unreasonable delay.” 60 days is considered the
outer limit. Timely reporting helps mitigate damage at the individual level
(by preventing identity theft) and at the aggregate level (by enabling
detection and suppression of threats).

Third, OCR underscored the necessity of having an incident response policy
and different types of contingency plans in place. These policies and plans
provide the affected entity with a mechanism to continue services even
while the security incident is in progress.

Fourth, these policies and plans should be regularly vetted and tested,
under the sponsorship of management. In addition to addressing disaster
recovery and emergency contingencies, they should encompass maintenance
(such as containment testing and regular updates including data backups).
They should also factor in post-incident reviews and investigations.

Finally, OCR stressed the desirability of information sharing: pooling
threat and vulnerability information to enable greater robustness of the
healthcare sector as a whole. The Federal Government has encouraged the
process via measures such as the Cybersecurity Information Security Act
(CISA) and Executive Order 13691.

The healthcare sector has been particularly vulnerable to ransomware. Both
operational needs and the stored PHI are extremely sensitive, while
technology infrastructure may be dated, resources are limited, and IT
departments and budgets are stretched thin. Nevertheless, HIPAA’s stringent
penalty regime and OCR’s stated intention to expand enforcement mean that
HIPAA-compliant plans and processes are more important than ever. In short,
pay a little for compliance now, rather than a lot – in ransom payments,
remediation costs and OCR-imposed penalties – later.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170712/da8c366f/attachment.html>