Over the last two decades, those of us in the healthcare industry have grown accustomed to the array of new vocabulary words and phrases, acronyms, and pseudo-blends in our daily repertoire – HIPAA, security incidents, PHI, disaster recovery plan, breach notification, and business associates, to name a few. Healthcare has always had an encoded language of its own – but who would have expected that the health care administrator’s fluency would need to extend to actual (computer) code?
Familiarity with computing platforms and cybersecurity is increasingly important for the healthcare administrator. Today, ransomware attacks and cyber-related security are causing the latest and greatest additions to our conference call agendas and risk mitigation discussions. Who knew a techie pirate and his scurvy crew could attack your data and seize your operations? As demonstrated by the recent Wanna Cry ransomware attacks, cyber-pirates can hold your company captive for bounty, or, worse yet, disclose protected health information (PHI) with a single keystroke. This is not a restful thought for any compliance team.
The Department of Health and Human Services (“DHHS”) Office of Civil Rights (“OCR”) recently provided a Quick-Response Checklist on the steps a covered entity and its business associates should take in response to cyber-related security incidents. The checklist is akin to a step-by-step protocol your covered entity should plan to implement for cyber-related security incidents, such as a ransomware attack. Briefly, those steps include:
- Immediately fix any technical issues and stop the incident;
- Mitigate any impermissible disclosures of PHI;
- Report the crime to state or local law enforcement, the FBI and/or the Secret Service – this report should not include the PHI itself;
- Report all cyber-threat indicators to federal and information-sharing and analysis (“ISAOs”), including the Department of Homeland Security, the DHHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs – these reports should not include the PHI itself; and
- Report the breach to the OCR. For attacks impacting 500 or more individuals, providers are required to inform the OCR as soon as possible but no later than 60 days after the discovery of the breach. For those incidents involving less than 500 individuals, providers still have an obligation to notify the OCR within 60 days of the end of the calendar year in which the breach occurred.
Further illustrating the centrality of cybersecurity in meeting regulatory compliance, CMS has included cybersecurity within its mandated “all hazards approach” for healthcare facilities. Under this rule, all applicable healthcare facilities (including hospitals, ambulatory treatment centers, and long-term care facilities) must implement a detailed emergency preparedness plan by no later than November 16, 2017. Facilities are expected to prepare for terror attacks, natural disasters, epidemics, and now, cyberwarfare.
While the landscape of the healthcare arena evolves through technology and, the ever-changing compliance and risk mitigation nuances of our daily lives, keep in mind you do not have to go it alone. Seek help – to protect the mothership it requires all hands on deck. After all, once you have created a virtual-defense strategy and emergency preparedness plan, you’ll be resting easier, – at least until the next wave.