The recent WannaCry ransomware and Petya/notPetya malware attacks that targeted thousands of organizations around the world, most notably health care providers and pharmaceutical companies, signal the urgency of protecting against ever-evolving cybersecurity risks. As a result of these attacks, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has developed a growing set of resources to provide planning and response guidance to health care entities. OCR recently issued a Quick-Response Checklist and infographic as well as guidance that outlines the steps that a HIPAA-covered entity or business associate can take in response to a cyber threat or attack.

In addition to reporting to OCR as soon as possible any breach of protected health information (PHI) affecting 500 or more individuals, OCR recommends in its checklist that a health care organization experiencing a cyberattack or similar emergency do the following:

  • Execute its response and mitigation procedures and contingency plans;
  • Report the crime to other law enforcement agencies; and
  • Report all cyber threat indicators to the appropriate federal and information-sharing and analysis organizations.

The OCR guidance materials also encourage health care organizations to share threat, attack and vulnerability information with each other in order to reduce the threat of ongoing harm.

Securing the information exchange of health data is a significant challenge. OCR is vocalizing its awareness of this challenge by urging health care organizations to pursue security preparedness, responsiveness and consequence management in order to minimize the impact of any breaches.