Healthcare Cybersecurity

Ponemon Study Reveals Impact of Data Breaches on Organizations’ Reputation

Posted by HIPAA Journal

Organizations that experience data breaches can expect many negative repercussions such as loss of reputation, loss of customers and fall of share value. The impact of a data breach on a company’s reputation and share value has recently been studied by the Ponemon Institute.

The Centrify-sponsored survey was conducted on IT operations and information security professionals, senior level marketers, communications professionals and consumers. 31% of the 446 IT practitioners said they had experienced a data breach of more than 1,000 sensitive records in the past two years, while 62% of the 549 consumers surveyed said they had been notified by companies or government agencies that their data had been exposed as a result of a data breach in the past 24 months.

Data breaches are to be expected; however, the study suggests that the C-Suite and boards of directors do not fully appreciate the negative impact data breaches can have on companies’ reputations. The effect can be considerable. The Ponemon Institute tracked the share value of 113 publicly traded companies for 30 days prior to a data breach and for 90 days following the breach. On average, share value dropped by 5% following the disclosure of a data breach.

However, it is possible to stop a decline in share value following a breach, provided companies are able to respond quickly. Companies that had self-declared their security posture to be superior prior to a breach, and were able to respond quickly the security incident, regained stock value after an average of 7 days.

Companies that had a poor security posture and failed to respond quickly saw a stock price decline that lasted an average of 90 days. Organizations with a poor security posture and slow response were also more likely to lose customers as a result of the breach.

The potential for loss of customers is considerable. 31% of consumers said they discontinued their relationships with the breached entity following a data breach, while 65% said they lost trust in the organization after being affected by one or more breaches. The average losses reported by organizations with a low customer loss rate (less than 2%) was $2.67 million. A customer loss rate of 5% resulted in average revenue losses of £3.94 million.

The study also revealed that healthcare organizations are trusted the most when it comes to keeping sensitive information secure. 80% of consumers said they trusted their healthcare providers to protect their sensitive information with the industry ranking highest in terms of consumer trust, even though healthcare organizations experience 34% of all data breaches.

Aside from banking institutions, which were trusted by 77% of consumers, trust in financial institutions was far lower. Only 26% of consumers trusted their credit card company to protect data, even though credit and financial institutions account for just 4.8% of data breaches.

The post Ponemon Study Reveals Impact of Data Breaches on Organizations’ Reputation appeared first on HIPAA Journal.

Microsoft Patches Two Critical, Actively Exploited Vulnerabilities

Posted by HIPAA Journal

Microsoft released a slew of updates this Patch Tuesday, including patches for two critical vulnerabilities that are being actively exploited in the wild. In total, 95 vulnerabilities were addressed yesterday, eighteen of which have been rated critical and 76 as important.

The two actively exploited vulnerabilities are of most concern, in fact one is so serious that Microsoft took the decision to issue a patch for Windows XP, even though extended support for the outdated operating system ended in April 2014. As with the emergency patch issued last month shortly after the WannaCry ransomware attacks, the vulnerability was considered so severe it warranted a patch.

Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, explained the decision to issue a patch for Windows XP saying, “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”

The flaw – CVE-2017-8543 – exists in the Windows Server Message Block (SMB) service. It was also a SMB service vulnerability that was exploited in the recent WannaCry ransomware attacks that spread to more than 300,000 devices in 150 countries on May 12.

CVE-2017-8543 could similarly be exploited by cybercriminals to install malware with wormlike capabilities, allowing infections to spread rapidly across a network. The flaw exists in most Windows versions, including Windows XP, Windows 7, Windows 8.1 and Windows 10, as well as Microsoft Server 2003, 2008, 2012 and 2016. Microsoft has also issued a patch for Microsoft Server 2003.

As with the WannaCry attacks, the vulnerability could be exploited without any user interaction required. A remote unauthenticated user could trigger the vulnerability via a SMB connection. If exploited, the attacker could take control of the infected device. Since this vulnerability is being actively exploited in the wild, it is essential that the patch is applied promptly.

The other critical – and actively exploited – flaw is CVE-2017-8464: A LNK remote code execution vulnerability. This vulnerability can be exploited using a specially crafted shortcut file.

While not believed to be exploited at present, a memory corruption vulnerability in Outlook (CVE-2017-8507) is of particular concern. An attacker could exploit the vulnerability simply by sending a specially crafted message to an Outlook user. The vulnerability would be triggered when the user views the message, giving the attacker full control of their computer. No attachment would need to be opened in order for the vulnerability to be exploited.

CVE-2017-8527 could also potentially be exploited with little user interaction required. A user would only be required to visit a website with specially crafted fonts.

Patches have also been issued for remote code execution vulnerabilities in Microsoft Edge and Internet Explorer. These flaws are not being actively exploited at present, although the flaws have been publicly disclosed so it is only a matter of time before attacks occur.

In addition to the patches released by Microsoft, Adobe has similarly issued a round of updates. In total, 21 vulnerabilities have been addressed, 15 of which have been rated critical. Four products have been updated – Flash, Shockwave, Captivate and Adobe Digital Editions.

While Microsoft has now issued patches for unsupported operating systems on two occasions in the past 30 days, this should not be taken as a sign that flaws will continue to be addressed. Any organization still using unsupported operating systems should ensure those systems are upgraded to supported Windows versions as soon as possible. Further flaws are likely to be discovered, but Microsoft is unlikely to continue to release patches.

Eric Doerr, general manager of the Microsoft Security Response Center said, “Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies.”

The post Microsoft Patches Two Critical, Actively Exploited Vulnerabilities appeared first on HIPAA Journal.

Reducing the Impact of Healthcare-Focused WannaCry-Style Ransomware Attacks

Posted by HIPAA Journal

by Sean Masters, Worldwide Programs Manager, Services & Support, Zerto

Starting with a major attack on the UK’s National Health Service (NHS) several weeks ago, the WannaCry ransomware attack has now spread to more than 150 countries, producing tens of thousands of infections and causing worldwide data havoc.

Healthcare organizations like the NHS are often prime ransomware targets, because the hackers behind the attacks know that healthcare data is among the most crucial of data types. They take advantage of this fact in the most vicious way possible.  In fact, according to a 2016 Ponemon Institute report, 79 percent of healthcare organizations say they were hit with two or more data breaches in the past two years.

This number is especially striking when you consider that data attacks on hospitals literally put lives at stake. Yet so many healthcare organizations, evidenced by the damages of the WannaCry attacks, are not prepared to address and recover from a disaster when it strikes. In today’s data-reliant environment, if your recovery times are being measured in days or even hours, the damage can be catastrophic from both a corporate asset and patient care perspective.

And, sorry to say, ransomware is not going anywhere. Hackers are only going to get more sophisticated, equating to an increase in both the frequency and severity of attacks. As a result, organizations are increasingly concerned about the cost of defending against attacks. Many are even stockpiling funds to pay ransoms and keep things quiet.

On top of this, healthcare reform is ever-changing and the shifting compliance requirements are hard to keep up with. Now, healthcare organizations must be able to recover data after an outage, like one resulting from a ransomware attack, and demonstrate that they have conducted an annual disaster recovery test.

If a health provider is able to do this successfully and efficiently, it will eliminate the need to pay the ransom when ransomware strikes. A solid disaster recovery plan will help them restore an infrastructure back to just before the attack.

As if looming attacks and audits aren’t enough, on the front-end side, patients have become more demanding and engaged – they expect to be able to view their data online or through a mobile app – which further exposes IT to external threats. Not to mention the numerous self-inflicted issues all types of organizations experience with incidents like a new staff member accidentally shutting down a server, or an incorrectly configured program. One of the more troubling causes of interruptions is regular, routine software patching and upgrades, which are sometimes not of the highest quality and very often exceed the capacity to adequately test an environment.

While IT is a crucial healthcare asset, it’s also creating a stronger dependency on data to keep operations running as normal. With this ever-increasing dependence on data, healthcare IT organizations must put strategies in place to ensure there is never any downtime. One way to achieve this is by leveraging a cloud-based approach that allows for dramatically simpler disaster recovery that makes non-disruptive testing possible, at any time.

Leveraging a hybrid cloud infrastructure, especially, as part of a disaster recovery strategy, introduces certain efficiencies not otherwise available, allowing healthcare IT organizations to accelerate service levels and maximize uptime in the event of an attack or disaster. Lower costs and access to a wide breadth of services offered by using the cloud, can also enable businesses to run tests more easily, a crucial aspect of a sound disaster recovery plan.

Testing the Disaster Recovery Plan Frequently

Non-disruptive disaster recovery testing is key here. You need to be an expert in the event of an outage, and if you’re practicing only once per year, you might not be as on point as you thought when it comes time to bat. Frequent testing is very important – each quarter is ideal. The point of testing is to ensure that each part of the disaster recovery plan is functioning seamlessly.

Testing is extremely important. It doesn’t matter what’s on paper, real scenario testing brings up issues that may have been overlooked. Until testing takes place, on a consistent basis, there is no way to see whether plans will work effectively, especially with today’s increasingly complex systems.

The Impact of Downtime

When most organizations hear the word downtime, the primary concern is the financial impact on the business. According to stats released by healthsystemCIO.com, almost 40 percent of global healthcare organizations experienced a costly unplanned outage in 2016. With an average cost of $432,000 per incident, and at least three incidents per year, downtime costs quickly approach the millions of dollars range.  But in healthcare it’s about so much more. We also must account for the potential detriment to the quality of patient care. This is of course harder to quantify in terms of a dollar amount, but is certainly the highest-priority factor to consider.

Thwarting Cybercriminals

When it comes to cybercrime, Plan A is to keep hackers and malicious actors out. Securing the network and educating employees on the risks is essential to this plan. However, a hacker only needs to be right one time while the corporate IT department has to be right all the time in order to keep hackers out. Therefore, IT needs to also have a Plan B. What happens if hackers do get in, as they did in the case of WannaCry? What is the recovery plan?

Every healthcare organization should be asking themselves these questions if they haven’t already. Ransomware is not always going to be avoidable, but experiencing downtime from it is. The only way to achieve zero downtime (or very close to zero) is to, first, admit that preventative security measures are not enough. Then, with cloud-based tools, put in place a disaster recovery strategy that makes both testing and recovery exceptionally simple and automated. From there, test, test, test and test again.

Follow these steps and the next time a global cybercrime crisis hits, you’ll not only be thankful you did, but you’ll be moving your company forward while others struggle to recover data and avoid downtime.

The post Reducing the Impact of Healthcare-Focused WannaCry-Style Ransomware Attacks appeared first on HIPAA Journal.

OCR Issues Guidance on the Correct Response to a Cyberattack

Posted by HIPAA Journal

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken.

Responding to an ePHI Breach

Preparation is key. Organizations must have response and mitigation procedures in place and contingency plans should exist that can be implemented immediately following the discovery a cyberattack, malware or ransomware attack.

The first stage of the response is to take immediate action to prevent any impermissible disclosure of electronic protected health information. In the case of a network intrusion, unauthorized access to the network – and data – must be blocked and steps taken to prevent data from being exfiltrated.

Healthcare organizations may have staff capable of responding to such an incident, although third party firms can be contracted to assist with the response. Smaller healthcare organizations may have little choice but to call in external experts to investigate a breach and ensure access to data has been effectively blocked.

OCR has reminded covered entities that a third-party cybersecurity firm brought in to assist with response and mitigation would be classed as a business associate. Therefore, prior to access to systems being provided, a HIPAA-compliant business associate agreement must be signed by the cybersecurity firm. Failing to obtain a signed BAA prior to access to systems being provided would be a violation of HIPAA Rules and classed as an impermissible disclosure of ePHI.

Cyberattacks Should be Reported to Law Enforcement

A cyberattack is a crime, therefore law enforcement should be notified. Covered entities should alert the FBI and/or Secret Service to any cyberattack or ransomware incident and notify state and local law enforcement. Details of the incident should be provided, although covered entities should not disclose any protected health information, unless otherwise permitted by the HIPAA Privacy Rule (45 C.F.R. § 164.512(f)).

Covered entities have been advised that law enforcement may request breach reporting be delayed when the announcement of a breach may impede an investigation or could otherwise harm national security. Requests by law enforcement should state the duration of the delay and should be honored, while oral requests should result in a delay of no more than 30 days from the original request. (45 C.F.R. § 164.412)

Sharing Threat Indicators

After law enforcement has been notified, covered entities should report cyber threat indicators to federal and information sharing and analysis organizations (ISAOs). The Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response should be provided with threat indicators, although covered entities should not disclose any protected health information in their reports.

Notifying Affected Individuals and OCR

Covered entities are advised that threat indicator information is not passed to OCR by other federal agencies. Covered entities must therefore submit a separate breach notice to OCR as soon as possible, and certainly no later than 60 days following the discovery of the breach if the incident impacts 500 or more individuals (unless otherwise instructed by law enforcement).

Covered entities can notify OCR of a breach impacting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.

According to the guidance, “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”

In all cases, individuals impacted by a security breach must be notified without unnecessary delay and no later than 60 days following the discovery of a breach.

OCR’s checklist and infographic can be downloaded using the links below:

OCR’s Cyber Security Checklist

Cybersecurity Infographic

The post OCR Issues Guidance on the Correct Response to a Cyberattack appeared first on HIPAA Journal.

Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

Posted by HIPAA Journal

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly; however, a new study conducted by BitSight sought to quantify the level of risk that tardy updates introduce.

For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers.

Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers.

2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers.

BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations running out of date operating systems were three times more likely to suffer a data breach than those running newer operating systems. Organizations with out of date web browsers were two times more likely to experience a data breach.

The analysis did not confirm whether the data breaches occurred as a direct result of running outdated browsers and operating systems. The outdated software was only an indicator in the risk profile of those companies.

BitSight research scientist Dan Dahlberg said it is common knowledge that using outdated software and operating systems increases risk, but the big surprise from the study was the number of companies that were taking such big risks. For instance, prior to the WannaCry attacks, 20% of computers analyzed during the study were still running Windows XP.

The healthcare industry fared better than other industry sectors with 85% of organizations using up to date browsers and operating systems. However, 15% were taking risks by failing to update their browsers promptly and upgrade their operating systems.

Unsurprisingly, government organizations were some of the worst offenders, with more than a quarter of computers running on old operating systems and using out-of-date browsers.

The post Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified appeared first on HIPAA Journal.

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017.

Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks.

The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded.

The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption process has been blocked, that does not stop infection. Vulnerable devices could still be infected if the patch has not been applied.

Further, if a device has already been infected prior to the patch being applied, the malware will still be present on the infected system. The HHS likens the patch to quarantining a patient. While that action will prevent the spread of the infection to other individuals, simply placing a patient in quarantine will not remove the infection in that patient.

While the ransomware component of the malware is not active, the presence of the malware on computer systems will have some effects. Those are dependent on the Windows version installed.

If the malware is present, it will be capable of scanning the network for other vulnerable devices and spreading to those devices.

The HHS says that if a device has been infected with WannaCry, reimaging and applying the patch will remove the virus and prevent it from being installed again. However, HHS explains that while the patch addresses a vulnerability in the Windows Server Message Block version 1 (SMBv1) protocol, that may not be the only vulnerability that is exploited to download WannaCry. Even patched systems may still be infected if the threat actors exploit a different vulnerability to introduce the malware. Patches must therefore be applied promptly after they have been issued to prevent future WannaCry – and other – malware attacks.

If you have been affected by WannaCry, the HHS recommends contacting your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force to report the incident and request assistance.

The HHS also recommends contacting the FDA’s 24/7 emergency line at 1-866-300-4374 if a suspected cyberattack affects medical devices.

HHS has issued the following advice to healthcare organizations on mitigating the risk of WannaCry infection:

The post WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals appeared first on HIPAA Journal.

Final Healthcare Cybersecurity Task Force Report Details 6 Imperatives to Improve Security

Posted by HIPAA Journal

The Health Care Industry Cybersecurity (HCIC) Task Force was formed by Congress, as required by the Cybersecurity Act of 2015. The purpose of the HCIC Task Force is to address the cybersecurity challenges faced by the healthcare industry and help the healthcare industry improve cybersecurity defenses and prevent security breaches.

The Cybersecurity Information Sharing Act of 2016 required the Health Care Industry Cybersecurity Task Force to issue a report detailing improvements that can be made to improve cybersecurity in the healthcare industry. The final version of the report was released on Friday June 2.

The HCIC Task Force explains in the report that the high number of hacking incidents, ransomware attacks and data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in recent years clearly show the healthcare industry is struggling to secure networks and data.

The HCIC Task Force says many healthcare organizations believe cybersecurity vulnerability is low. Recent breaches and ransomware attacks have shown that assumption is false. While recent data breaches have highlighted the very real risk of security incidents and data breaches, addressing vulnerabilities and improving security is a major challenge.

Most healthcare organizations have extremely limited budgets and lack highly skilled cybersecurity personnel.  Infrastructures make it difficult to identity and track threats and a lack of skilled staff means many healthcare organizations cannot easily translate threat data into actionable information. Even if threat information can be turned into actionable information, many organizations do not have the capability to act on that information.

However, these cybersecurity threats place the safety of patients at risk. Recent ransomware attacks have shown that access to patient data can be blocked, while vulnerabilities in medical devices could be exploited to cause patients serious harm. The report says, “health care cybersecurity is a key public health concern that needs immediate and aggressive attention.”

Prior to writing the report, the HCIC Task Force consulted experts from other critical infrastructure sectors and received briefings on strategies and safeguards that could be implemented to address key cybersecurity threats. The Task Force also spoke with stakeholders on the challenges faced by the healthcare industry.

One of the key problems identified in those discussions is severe budgetary constraints. That means healthcare organizations are faced with a choice of purchasing cybersecurity technologies to secure networks and data or buying new, much needed medical equipment or paying staff costs.

However, if vulnerabilities are not addressed and action not taken to improve security the safety of patients will be placed at risk.

In a recent blog post, Steve Curren, Director of the Division of Resilience in ASPR’s Office of Emergency Management, said “The Office of the Assistant Secretary for Preparedness and Response understands that healthcare facilities are facing these challenges right now and we have developed a collection of peer-reviewed resources on cybersecurity to help healthcare industry stakeholders better protect against, mitigate, respond to, and recover from cyber threats, in order to better defend patient safety and operational continuity.“

Task Force Co-Chairs Emery Csulak and Theresa Meadows explained that “While much of what we recommend will require hard work, difficult decisions, and commitment of resources, we will be encouraged and unified by our shared values as health care industry professionals and our commitment to providing safe, high quality care.”

In the report, the HCIC Task Force made several recommendations to improve healthcare cybersecurity and detailed six high-level imperatives:

 

The authors say, “The successful implementation of these recommendations will require adequate resources and coordination across the public and private sector. Once implemented, the recommendations will increase security for the health care industry’s organizations, networks, and associated medical devices.”

The report has changed little from the pre-release version released early last month. The final version of the 88-page report can be viewed on this link.

The post Final Healthcare Cybersecurity Task Force Report Details 6 Imperatives to Improve Security appeared first on HIPAA Journal.

Seton Healthcare Family Hospitals Targeted by Cybercriminals

Posted by HIPAA Journal

Ascension Health, which runs the Seton Healthcare Family hospital network in Austin, TX, announced earlier this week that a computer virus had been discovered on its computer network. The hospital network was alerted to a potential cyberattack on Sunday when ‘suspicious activity’ was detected on the network.

In response to the suspected cyberattack, Seton Healthcare shut down around 3,600 devices as a precautionary measure while the incident was investigated. The suspicious activity was attributed to a virus, although no details have been released on the nature of the malware.

IT teams worked quickly to remove the virus and secure its network. The computer systems used by Dell Seton Medical Center and Dell Children’s Medical Center were quickly restored, although Seton Medical Center Williamson and Seton Medical Center Hays continued to be impacted by the incident until Wednesday, May 31. The Seton Smithville Regional Clinic and Seton Shoal Creek facility were unaffected.

The fast response by Seton Healthcare reduced the impact of the cyberattack. Staff had been drilled to expect incidents such as this and policies and procedures could be quickly implemented in case of malware, ransomware or hacking incidents. As this incident shows, healthcare organizations need to be prepared for security incidents and have the capability to respond rapidly.

A statement about the incident was issued earlier this week by Ascension Health confirming there were “no patient safety issues” and “no devices have been reported as encrypted by ransomware.” Systems were shut down as a safety precaution, with staff members moving to paper records while systems were down and the virus was removed. Ascension Health said “The attempt was unsuccessful, so no data was encrypted or lost.”

Out of an abundance of caution, emergency medical services were instructed to redirect some patients to other hospitals during the seven hours that the systems were down on Sunday night out of safety concerns. Additional members of staff were also called in to ensure patient safety was not affected.

The post Seton Healthcare Family Hospitals Targeted by Cybercriminals appeared first on HIPAA Journal.

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

Posted by HIPAA Journal

The ransomware attacks and high number of healthcare IT security incidents last month has prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules covering security breaches.

In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached.

HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time.

Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to report those incidents to OCR or notify patients that their ePHI may have been accessed.

OCR has reminded covered entities in its newsletter of the HIPAA definition of a security incident. The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

OCR has taken the opportunity to remind covered entities that they need to prepare for those incidents. Policies and procedures should be developed that kick into action immediately following the discovery of a security incident or data breach.

If covered entities react quickly to security incidents and data breaches it is possible to minimize the impact and reduce legal liability and operational and reputational harm. Contingency plans should exist for a range of security incidents and emergency situations. OCR says “policies, procedures, and plans should provide a roadmap for implementing the entity’s incident response capabilities.”

When a breach occurs, the HIPAA Breach Notification Rule requirements must be followed. The HIPAA Breach Notification Rule (45 CFR 164.402) requires OCR to be notified of a breach and notifications to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”

Each month, Databreaches.net tracks healthcare data breach incidents, with the Protenus Breach Barometer report showing the time taken for covered entities to report their breaches to OCR. The past few reports show some improvement, with covered entities reporting their breaches more promptly. That said, there have been several cases where data breach notifications have been submitted late and patients have had their notification letters delayed.

OCR reminds covered entities that the HIPAA deadline for reporting security incidents and sending notifications to patients/health plan members is 60 days* from the discovery of the breach.

This is a deadline, not a recommendation. Many covered entities delay issuing notifications until day 59. OCR points out that the HIPAA Breach Notification Rule requires notifications to be issued “without reasonable delay.”

If you missed the email newsletter, you can download a copy on this link: https://www.hhs.gov/sites/default/files/may-2017-ocr-cyber-newsletter.pdf

*Breaches impacting fewer than 500 individuals can be reported to OCR annually, with the deadline 60 days after the end of the year when the breach was discovered. Breaches impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach. Individuals must be notified of a breach of PHI or ePHI within 60 days of the discovery of the breach, regardless of how many individuals have been impacted by the breach.

The post OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements appeared first on HIPAA Journal.