OCR issues guidance on cyber threat reporting and monitoring
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued guidance on reporting and monitoring cyber threats. The guidance comes just five months after the U.S. Government Accountability Office (GAO) reported that data breaches involving medical records of 500 or more individuals are increasing, a trend that is expected to continue as technology continues to evolve. In connection with its report, the GAO pushed OCR to update its guidance on protecting electronic health information.
The guidance encourages covered entities and business associates to report any suspicious activity (cyber security incidents, cyber threat indicators and defensive measures, phishing incidents, malware and software vulnerabilities) to the U.S. Computer Emergency Readiness Team (US-CERT). The disclosure of such information is meant to alert other entities as well as the federal government to possible or actual threats or vulnerabilities to information systems. US-CERT analyzes data it collects about cyber threats and uses it to develop actionable information on threats. OCR points out that disclosure of protected health information (PHI) is typically not necessary to describe a threat or vulnerability, and that PHI should only be disclosed if permitted under the Health Insurance Portability and Accountability Act (HIPAA) rules.
In addition to reporting suspicious activity, OCR recommends that covered entities and business associates monitor the US-CERT website for reports on vulnerabilities and information about patches and mitigation when available. You can also subscribe to US-CERT’s mailing lists and receive the reports directly via email. Covered entities and business associates can use this information as part of their security management process (45 CFR § 164.308(a)(1)) to help ensure the confidentiality, integrity and availability of electronic PHI.
Fines and penalties associated with security breaches and noncompliance with HIPAA privacy and security requirements have increased significantly in recent years. Actively reviewing guidance issued by OCR and US-CERT and applying such guidance to your systems will tend to improve compliance and reduce both the likelihood of a breach and the amount of any fines or penalties that could be assessed against your organization.
For more information, please contact one of the attorneys listed below.
The guidance encourages covered entities and business associates to report any suspicious activity (cyber security incidents, cyber threat indicators and defensive measures, phishing incidents, malware and software vulnerabilities) to the U.S. Computer Emergency Readiness Team (US-CERT). The disclosure of such information is meant to alert other entities as well as the federal government to possible or actual threats or vulnerabilities to information systems. US-CERT analyzes data it collects about cyber threats and uses it to develop actionable information on threats. OCR points out that disclosure of protected health information (PHI) is typically not necessary to describe a threat or vulnerability, and that PHI should only be disclosed if permitted under the Health Insurance Portability and Accountability Act (HIPAA) rules.
In addition to reporting suspicious activity, OCR recommends that covered entities and business associates monitor the US-CERT website for reports on vulnerabilities and information about patches and mitigation when available. You can also subscribe to US-CERT’s mailing lists and receive the reports directly via email. Covered entities and business associates can use this information as part of their security management process (45 CFR § 164.308(a)(1)) to help ensure the confidentiality, integrity and availability of electronic PHI.
What should you do?
The OCR guidance is nonbinding and is therefore simply a recommendation for compliance. However, failure to identify and mitigate vulnerabilities and risks when such information is available from US-CERT could be detrimental to a covered entity or business associate in the event of an OCR evaluation of the adequacy of the organization’s risk management plan, which is required by the HIPAA Security Rule. This could lead to fines and penalties being assessed against the covered entity or business associate.Fines and penalties associated with security breaches and noncompliance with HIPAA privacy and security requirements have increased significantly in recent years. Actively reviewing guidance issued by OCR and US-CERT and applying such guidance to your systems will tend to improve compliance and reduce both the likelihood of a breach and the amount of any fines or penalties that could be assessed against your organization.
For more information, please contact one of the attorneys listed below.
