October 2022 OCR Cybersecurity Newsletter: HIPAA Security Rule Security Incident Procedures (Oct. 25, 2022)
OCR has released its latest cybersecurity newsletter on the importance of having policies and procedures to detect and respond to security incidents. As part of their compliance with the HIPAA security rule, covered entities (including health plans and most health care providers) and business associates (together, “regulated entities”) must implement policies and procedures to address suspected or known security incidents posing a threat to electronic protected health information (ePHI). The newsletter emphasizes the importance of forming an organized and trained security incident response team and outlines steps from the HIPAA security rule that regulated entities should take to protect against cyberthreats, including:
Identifying Security Incidents. Having audit logs in place and regularly reviewing them can help regulated entities identify and respond to security incidents quickly. For example, log files may identify when and how a cyber-criminal entered an information system and what activities occurred.
Responding to Security Incidents. Several items are suggested for inclusion in security incident procedures, such as processes to identify and determine the scope of security incidents; instructions for managing the security incident; and procedures for conducting a forensic analysis to identify the extent and magnitude of the security incident. While recognizing that each security incident is unique and requires a well-tailored response, the newsletter suggests that regulated entities develop a process for security incidents that commonly occur (e.g., ransomware or phishing attacks).
Mitigating Harmful Effects. The newsletter stresses that a critical component of an effective recovery from a security incident is preparation. The contingency plan of a regulated entity must include robust data backup and recovery processes. Given that some malware and ransomware variants can delete or otherwise disrupt online backups, regulated entities are advised to consider maintaining at least some of their backups offline and unavailable from their networks.
Documentation. After the security incident has ended, systems and data have been restored, and operations have returned to normal, regulated entities are advised to document their response and analysis into a record of the security incident.
The newsletter includes a reminder that a security incident may trigger breach notification obligations and references a recent resolution agreement with a university medical center that resulted in an $875,000 settlement over a delayed reaction to a hacking breach (see our Checkpoint article).
EBIA Comment: The newsletter notes that hacking is now the greatest threat to the privacy and security of PHI. With an explicit acknowledgment that security incidents “will almost inevitably occur during the lifetime of a regulated entity,” OCR reminds regulated entities that a well thought-out, well-tested security incident response plan is crucial to ensuring the confidentiality, integrity, and availability of ePHI. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIX.E (“Developing Your Security Program”) and XXX.B.6 (“Standard: Security Incident Procedures”).
Contributing Editors: EBIA Staff.