Pramote Lertnitivanit/istock via
OCR Highlights HIPAA Security Rule Incident Response Procedures
OCR stressed the importance of timely incident detection and response, as required by the HIPAA Security Rule.
The HHS Office for Civil Rights (OCR) utilized its October newsletter to remind covered entities of their incident response obligations under the HIPAA Security Rule. The newsletter provided a refresher of HIPAA Security Rule requirements as well as tips for implementation.
“In the health care sector, hacking is now the greatest threat to the privacy and security of PHI,” the newsletter explained. “A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.”
In fact, about three-quarters of the healthcare data breaches reported to OCR in 2021 involved hacking/IT incidents, the newsletter noted.
Although the HIPAA Security Rule requires covered entities to implement incident response procedures, not all incident response plans are equally effective. Additionally, even with a robust incident detection and response plan, security incidents are nearly unavoidable.
Implementing a comprehensive response plan is crucial to being able to bounce back from a security incident and maintain patient safety amid a cyber event.
OCR outlined several crucial components of incident response that covered entities should take note of, from detecting incidents to mitigating the harmful effects of an incident and understanding breach notification requirements.
First, OCR emphasized the importance of having a well-trained security incident response team. This team may be structured differently depending on your organization, but most incident response teams consist of privacy and security professionals, legal, and information technology support. Human resources, facilities management, and communications professionals may also be included in the team.
“Once formed, the security incident response team should conduct regular testing of security incident procedures,” the newsletter explained.
“This could involve conducting tests involving different types of potential security incident scenarios, for example, a malicious insider exfiltrating sensitive information, a cyber-criminal’s infiltration and deployment of ransomware, or a distributed denial of service (DDoS) attack that interrupts system operations. Security incident procedures should be updated with lessons learned from testing as well as from actual security incidents to improve the team’s response and effectiveness.”
In addition to having a well-trained response team, OCR suggested that organizations further leverage the technical controls that the HIPAA Security Rule already requires them to implement. For example, the HIPAA Security Rule audit controls standard requires covered entities to “implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use electronic protected health information.”
OCR recommended that covered entities regularly review audit logs and record information system events so that they can more quickly detect anomalous activity.
When responding to a cyber incident, covered entities should ensure that they have processes in place to identify the scope of the incident, conduct a forensic analysis, and report the incident to relevant external entities.
“While each security incident has its own set of facts that require a well-tailored response, regulated entities should develop a process for security incidents that commonly occur,” OCR stated.
“For example, a regulated entity might have a specific process for responding to a ransomware attack and other processes for responding to insider malicious activity, cyber-attacks from hackers, and phishing attacks. Specific processes addressing common types of security incidents can improve workforce members’ understanding of what to do and the regulated entity’s speed in responding to these security incidents.”
Handling the aftermath of a security incident with care is as important as containing the incident itself. OCR urged covered entities to maintain reliable data backups in advance of the incident so that they can recover deleted data and maintain operations.
OCR also emphasized the importance of documenting the response and analysis process after the incident and ensuring compliance with breach reporting obligations.
“The policies and procedures regulated entities create to prepare for and respond to security incidents can pay dividends in the long run with faster recovery times and reduced compromises of ePHI,” the newsletter concluded.
“A well thought-out, well-tested security incident response plan is integral to ensuring the confidentiality, integrity, and availability of a regulated entity’s ePHI.”