- Even the most current and comprehensive security controls cannot guarantee that PHI security will never be compromised, which is why healthcare cybersecurity best practices should be regularly reviewed.
OCR’s May cybersecurity newsletter further underlines this point, and urged healthcare organizations to “plan, respond, and report” any privacy or security incident.
“Incidents do happen and when they do, effective response planning can be a major factor of how significant an organization suffers operational or reputational harm or legal liability,” OCR warned. “Being able to respond to incidents in a systematic way ensures that appropriate response steps are taken each time to help minimize the impact of breaches.”
First, organizations should understand that a security incident is “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system,” per the HIPAA Security Rule.
In comparison, a breach is defined as “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”
Essentially, it does not necessarily mean a breach has occurred just because a system was accessed. However, covered entities and business associates may not be able to determine whether PHI was or was not accessed from a security incident.
This is why an incident response plan must be in place, according to OCR. The policies, procedures, and overall plan needs to be applicable to the organization’s mission, size, structure, and function.
Furthermore, they should include the processes for the following:
- Preparing for incidents, including assessing the criticality of applications and data
- Detecting and analyzing incidents
- Implementing disaster recovery and emergency operations, as applicable
- Containing, eradicating and recovering from incidents, including implementing data backup
- Conducting post-incident activities and reviews.
Information sharing will also help healthcare organizations create stronger cybersecurity measures, OCR noted.
“Information Sharing is where different organizations share threat, attack, and vulnerability information with each other so that each organization’s knowledge benefits the other,” the newsletter explained. “Covered Entities and Business Associates should consider the best ways to share cyber threat indicators during incidents, while not sharing PHI, and with whom to share those indicators.”
The federal government has also been urging for greater information sharing, and has started implementing stronger legislation to encourage the practice. For example, the Cybersecurity Information Security Act (CISA) was created to design a framework for exchanging information regarding cybersecurity threats within various industries.
CISA could help healthcare professionals connect via a network, assisting them in exchanging information regarding potential cybersecurity threats.
Finally, OCR discussed the Breach Notification Rule.
“Once it has been established a breach has occurred, breach reporting is an important part of the incident management process,” OCR maintained. “Timely reporting helps to identify and rectify problems with individual organizations, identify and assess emerging risks, and protect individuals from identity theft or other fraud.”
Regardless of the size of a potential data breach, individual notification must take place without unreasonable delay or no later than 60 days following the breach discovery. When 500 or more individuals may be affected, organizations “must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.”
“If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below,” the Breach Notification Rule states.
Covered entities and business associates can also review other resources to ensure they are properly educated on how to prepare for and respond to potential security incidents or data breaches. This includes the Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) and the Department of Homeland Security (DHS).