The HHS cybersecurity best practices serve as a guide healthcare organizations can adopt to improve their security posture. One of these best practices is security incident response.
HIPAA requires healthcare organizations to report security incidents to the Office for Civil Rights (OCR). HIPAA defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
The penalties for failing to comply with HIPAA cyber incident response requirements can be severe.
Sentara Hospitals operates 12 acute care hospitals in Virginia and North Carolina. An investigation – following a 2017 complaint to OCR about an individual receiving another patient’s protected health information (PHI) in a bill – discovered Sentara had mailed 577 patients’ PHI to the wrong addresses.
Sentara had reported the breach as affecting only eight people due to the mistaken notion that only violations containing medical information like diagnosis or treatment details need to be reported. Even after being advised otherwise by OCR, Sentara refused to report the breach properly.
Following a complete investigation, Sentara accepted a settlement with OCR and agreed to pay a $2.175 million HIPAA fine for failing to report the breach properly and failing to have a business associate agreement with an entity that performed business associate services.
What are the HIPAA Cyber Incident Response Requirements?
As Sentara and other companies have discovered, HIPAA considers proper reporting of breaches critical to any HIPAA security incident response. Depending on the size of the incident, the requirements of the HIPAA Breach Notification Rule differ slightly.
- Large-scale breaches: affect 500 or more individuals, and must be reported within 60 days of discovery. These breaches must also be reported to the OCR, affected individuals, and the media.
- Smaller breaches: affect less than 500 individuals, and must be reported within 60 days of the end of the calendar year in which it was discovered. These incidents must be reported to the OCR and affected individuals.
In addition to HIPAA breach notification requirements, healthcare organizations must be aware of state reporting requirements, which are often more strict than federal law.
To prevent future incidents from occurring, organizations must develop corrective action plans. Corrective action plans must address the gaps in security measures that allowed the breach to occur.
Developing a HIPAA Incident Response Plan
Having a HIPAA incident response plan allows for the quick identification and reporting of security incidents. An incident response plan determines who is responsible for what in a breach.
It also tells employees how to:
- Detect an incident
- Contain an incident
- Correct the situation
- Recover lost data
An incident response plan determines procedures to follow to mitigate the breach’s impact. HIPAA incident response plans should include the following:
- What to do when an incident is suspected
- Who is responsible for evaluating the situation to determine if the incident is actionable
- How to quickly respond to limit damage
- How to find the source of the incident and how to address the incident
- How to recover from the incident
- Who ensures that changes are made to prevent future incidents
Organizations must account for different scenarios to develop an effective incident response plan. Some of the most common breach incidents include:
- Phishing attacks
- Ransomware attacks
- Theft or loss of equipment
- Unauthorized system access
- Insider issues
- Security failures
Developing an incident response plan allows organizations to quickly identify and respond to security incidents. A security incident detected quickly limits the impact of the breach, thereby affecting fewer patients and minimizing the costs associated with the breach.
HHS Cybersecurity Best Practices
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies