Tips for Responding to Cyber-RelatedSecurity Incidents

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has released a quick-response checklist briefly describing the steps that HIPAA-covered entities (including medical and dental offices) and their business associates should take in response to a cyber-related security incident. Steps include:

• Executing the entity's response and mitigation procedures and contingency plans, such as immediately fixing any technical or other problems to stop the incident;
• Reporting the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service;
• Reporting all cyber-threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response (any reports should not include protected health information); and
• Reporting the breach to the OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notifying affected individuals and the media unless a law enforcement official has requested a delay in the reporting.

Note: OCR considers all mitigation efforts taken by the entity during any particular breach investigation. Such efforts include the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations.

Click here to read the entire cyber-attack checklist.

Preferred Partner of