How to Correctly Respond to a Cyber Attack

As technological advancements increase daily, our dependence on technology continues to positively correlate with this trend. Practices implement technology to streamline administrative tasks, gather patient data, organize and store patient health records, manage finances, and other tasks to maximize overall profitability.  Unfortunately, the recent influx in technology also positively correlates to an increasing concern: the growing number of cybercriminals.

Cybercriminals increasingly target the healthcare industry due to the wealth of information in patient health record files. After gaining access to patient health records, cybercriminals may personally steal the identity of patients or sell their identities on the dark web. A cyber breach can devastate a healthcare practice. In the event of a cybersecurity breach, a practice should establish a reaction plan to effectively and efficiently respond.
The following steps appear in the U.S Department of Health and Human Services’ Office of Civil Rights (OCR) recommendations following a cybersecurity breach for an entity covered under HIPAA.\
1. Immediately initiate procedures to resolve the technological failure that permitted the cyberattack.
2. Report the breach to local and federal law enforcement.
3. Inform the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, as well other information-sharing and analysis organizations (ISAOs) of the cyber threat.
4. Immediately notify the OCR of the security breach within 60 days if the data breach affects more than 500 patients. If the breach affects less than 500 patients, the OCR must be notified within 60 days of the termination of the calendar year as well as notify the affected individuals without reasonable delay.
The U.S Department of Health and Human Services’ Office of Civil Rights (OCR) will take compliance with this checklist into consideration when conducting their investigation. While the steps listed above indicate best practices in the event of a cybersecurity breach, more action may need to be taken depending on the situation. If you have any questions regarding the post-breach procedures, notify an attorney.