We Have Just Experienced a Cyber Attack, What Do We Need to Do Now?
We Have Just Experienced a Cyber Attack, What Do We Need to Do Now?
Published: January 15th, 2019
Have
you just experienced a ransomware attack or other cybersecurity incident, you
may be wondering what to do next? Fortunately, the HHS, Office for Civil Rights
(OCR) has provided a quick response checklist that explains step by step what a
HIPAA covered entity or its business associate should do in response to an
incident.
In the event of a cyber-attack or similar
emergency an entity should:
- Execute Response and Contingency Plans- An entity should execute its
response and contingency plans. They should immediately fix any technical
issues to stop the incident. The entity should take every step necessary to
mitigate the disclosure of protected health information.
- Report the Crime to Law Enforcement- An entity should report the crime to law
enforcement agencies, including state or local law enforcement, the Federal
Bureau of Investigation (FBI), and/or the Secret Service. If a law enforcement
official informs the entity that the report would impede a criminal
investigation or harm national security, the entity must delay reporting a
breach for the time the law enforcement official requests in writing, or for 30
days, if the request is made orally.
- Report cyber- threat indicators to federal and information-sharing
and analysis organizations (ISAOs)- including the Department of Homeland
Security, the HHS Assistant Secretary for Preparedness and Response, and
private-sector cyber-threat ISAOs.
- Report the breach to OCR – An entity should report the violation to
OCR as soon as possible, and no later than 60 days after the discovery of a
breach affecting 500 or more individuals.
An entity must also notify those affected and the media unless a law
enforcement official has requested a delay in the reporting. An entity that
discovers a breach affecting fewer than 500 individuals must notify the
individuals without unreasonable delay, no later than 60 days after discovery.
They must also inform OCR within 60 days after the end of the calendar year in
which the breach was discovered.
Reference: https://www.hhs.gov/sites/default/files/cyber-atta...