HIPAA requires ‘timely response’ for security incidents, says alert to health sector

Not only will a timely response to security incidents prevent and reduce recovery time from cyberattacks, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement policies to address incidents, according to the cyber bulletin from the U.S. Department of Health and Human Services’ Office for Civil Rights.

To OCR, the rise of hacking incidents across all sectors is cause for concern. About 74% of all healthcare data breaches reported to the agency in 2021 involved hacking or IT incidents, which makes hacking “the greatest threat to the privacy and security of protected health information.”

Consider the latest spate of cyberattacks and related periods of electronic health record downtime in healthcare. The outage at OakBend Medical Center in Texas lasted for about three weeks and led to care diversion during the initial days, as well as the theft of patient data. Patients were also hit with fraud attempts in the wake of the incident.

Meanwhile, CommonSpirit Health was struck with ransomware on Oct. 3 and has led to care disruptions at a portion of its 700 care sites and 142 hospitals across the country. Local media outlets note that many of these impacted hospitals are still working to recover several weeks after the attack. CommonSpirit has not issued an update since Oct. 17.

Based on the financial reports of health systems following several weeks of network outages, cyberattacks can cost upwards of $1 million per each day of downtime. For Scripps Health, a month of downtime after its 2021 cyberattack cost $122.7 million in lost revenue and recovery.

“Security incidents will almost inevitably occur during the lifetime of a regulated entity,” OCR officials wrote. Adhering to the HIPAA-required security incident response plan can enable providers to effectively pivot and recover from potential cyber incidents.

These plans should include methods for identifying and responding to security incidents, as well as mitigating possible harmful impacts and documenting each incident and the outcomes.

Incident response processes should begin with forming a team with specific roles, who are then trained to effectively respond to incidents. OCR recommends the use of NIST’s Computer Security Incident Handling Guide for details on considerations for these team members, including identification of points of contact at external partners to help during an incident.

Once the team is formed, members should conduct regular testing of incident procedures, such as testing for the different types of potential security scenarios. As with most security plans, these “procedures should be updated with lessons learned from testing as well as from actual security incidents to improve the team’s response and effectiveness.”

OCR also reminded providers that the HIPAA Security rule also provides detailed information on the steps needed to better protect against cyber threats. Covered entities will also find supportive documents in the industry-lauded 405d Health Industry Cybersecurity Practices, which is broken down by practice size and includes details into common threats.

Organizations should also note their reporting requirements after an incident, OCR stressed. Namely, HIPAA’s breach notification rule “requires covered entities to report breaches affecting 500 or more individuals to the affected individuals, to OCR, and (in certain cases) to the media without unreasonable delay and no later than 60 calendar days from discovery.”

Most importantly, the time period of 60-day requirement “begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule.” And in some circumstances, “it may be an ‘unreasonable delay’ to wait until the 60th day to provide notification.”

As SC Media recently reported, many incidents involving email hacks are often reported far outside this requirement. OCR noted that its recent enforcement actions stemmed from the provider failing to conduct an accurate risk analysis, perform an evaluation, and implement audit controls, in addition to missing security incident response and reporting and not timely notifying.

“The policies and procedures regulated entities create to prepare for and respond to security incidents can pay dividends in the long run with faster recovery times and reduced compromises of ePHI,” OCR concluded. “A well thought-out, well-tested security incident response plan is integral to ensuring the confidentiality, integrity, and availability of a regulated entity’s ePHI.”