Security Checklist: OCR Advice on Preparing, Responding to Incidents

By Jane Anderson

A “timely response” to a cybersecurity incident is one of the best ways to prevent, mitigate and recover from cyberattacks, according to HHS Office for Civil Rights (OCR). In addition, reporting any breach must occur “without reasonable delay,” OCR reminded HIPAA-regulated entities.

In its October 2022 OCR Cybersecurity Newsletter, OCR explained that “security incidents will almost inevitably occur during the lifetime of a regulated entity” and spelled out recommended procedures for HIPAA-covered health care entities to follow.[1] “Having a plan established and documented is essential to being able to detect security incidents quickly in order to respond to and recover from security incidents effectively,” OCR said.

Cybersecurity incidents and data breaches have continued to increase across all industries, including health care, OCR said, noting that a 2022 report noticed a 42% increase in cyberattacks for the first half of 2022 compared to 2021 and a 69% increase in cyberattacks targeting the health care sector.

“The number of data breaches occurring in the health care sector also continue to rise,” OCR wrote. “Breaches of unsecured protected health information (PHI), including [electronic] ePHI, reported to …OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI.”

Form an Incident Response Team

In preparing their security incident response process, regulated entities should consider forming an incident response team that is organized and trained to effectively respond to security incidents, OCR said. The agency recommended utilizing the National Institute of Standards and Technology (NIST) guide to handling computer security incidents.[2] That guide covers:

  • Selecting a team structure and staffing

  • Establishing relationships and lines of communication between the security incident response team and other internal and external groups

  • Identifying internal groups that may need to participate in incident handling, such as management, information technology support, legal, public affairs and communications, human resources, business continuity/disaster recovery, physical security and facilities management

  • Identifying points of contact at external groups that may be helpful to include in the event of an incident, such as network service providers, software and hardware vendors, local and federal law enforcement, incident handling teams of business partners and customers

  • Determining what services the incident response team should provide, such as intrusion detection, advisory distribution, education and awareness and information sharing

“Once formed, the security incident response team should conduct regular testing of security incident procedures,” OCR said. “This could involve conducting tests involving different types of potential security incident scenarios, for example, a malicious insider exfiltrating sensitive information, a cyber-criminal’s infiltration and deployment of ransomware, or a distributed denial of service (DDoS) attack that interrupts system operations. Security incident procedures should be updated with lessons learned from testing as well as from actual security incidents to improve the team’s response and effectiveness.”

OCR added that “having audit logs in place and regularly reviewing such logs are actions that regulated entities are required to take and greatly improve their ability to identify security incidents early.” For instance, log files may help identify when and how a cybercriminal entered an information system and what activities occurred, OCR said. “By recording information system events, alerts, user actions, and other activities in appropriate logs and conducting regular reviews of such logs, regulated entities will have mechanisms and procedures in place to record and review information system activity and be able to identify and respond to security incidents quickly.”

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings