• HHS Cybersecurity Guidance - You Still Have Work to Do
  • August 24, 2017
  • The U.S. Department of Health and Human Services Office for Civil Rights ("HHS") recently issued a quick response checklist to outline steps a HIPAA covered entity or business associate should take in response to a cyber-related security incident. The HHS checklist offers general, step-by-step guidance for healthcare providers in the event of a security incident that includes: (1) immediately executing response procedures and contingency plans to fix technical problems to stop a security incident; (2) reporting a security incident to appropriate law enforcement agencies; (3) reporting all cyber threat indicators to federal and information-sharing analysis organizations; and (4) reporting a breach to the HHS as soon as possible (but no later than 60 days after the discovery of a breach affecting 500 or more individuals).

    While the HHS checklist is certainly a practical resource for healthcare providers, it does not (and absolutely should not) alleviate a healthcare provider's responsibility to create, implement, and continuously test/update an incident response plan ("IRP") tailored to that provider's circumstances and vulnerabilities. Relying solely on the HHS checklist without an IRP will surely result in panic-based reactions with no structure to guide next steps when a cyber-related security incident inevitably occurs. Further, because of the strict requirements contained in the HIPAA Security Rule - including a duty to identify and respond to security incidents, mitigate harmful effects, and document security incidents and outcomes - a healthcare provider must be particularly vigilant in being cyber-prepared.

    Effective and adequate cybersecurity requires early preparation to ensure an appropriate and effective response later. The HHS checklist, though helpful, should be viewed merely as one of a multitude of best practice guides issued by federal agencies for health care providers and other businesses in developing and implementing cybersecurity measures.