Policy Analysis –
Last week, we looked at how the federal government organizes itself to support critical infrastructure in responding to significant cyber incidents that threaten national security. Today we will focus on the regulatory expectations for health care organizations responding to a cyber breach.
The primary federal regulator in this space is HHS’s Office of Civil Rights (OCR), which has responsibility for administering the Health Insurance Portability and Accountability Act (HIPAA). To implement its authorities under HIPAA, OCR published the HIPAA Security Rule (first proposed in 1998, finalized in 2003). The Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.” This includes considerations for not only how to protect information, but also how to respond and recover from incidents that may compromise protected health information.
When an incident occurs, OCR is unequivocal in saying that a covered entity “must execute its response and mitigation procedures and contingency plans.” The clear message is that a health care organization should first worry about defending its own systems and mitigating the threat. Only after an incident is under control, should it begin considering regulatory reporting requirements. After all, HIPAA gives an entity up to 60 days after discovery to report a breach. If a health care organization has considered HIPAA expectations in advance, incident response should occur in a way that is easy to document and present to regulators if PHI is compromised and an investigation is conducted later.
As part of its incident response procedures, health care entities should also have a mechanism for reporting the incident to law enforcement agencies. Notifying law enforcement of an incident will enable a criminal investigation that can lead to the arrest and prosecution of those responsible, but it can also get your incident into the process set forth in PPD-41 and described last week. Law enforcement may also provide helpful network defense information if the incident is part of a larger campaign that they are already investigating.
Sharing information through H-ISAC should also be part of your response plans. Actively sharing information informs your network defense, as well as enabling others in the sector to defend against similar threats. And sharing with H-ISAC enables the sector to coordinate its response to campaigns or widespread attacks, freeing you to focus on your own enterprise. It is important to note that H-ISAC does not share any cyber-threat indicators or incident information with OCR or other federal regulators.
As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of H-ISAC.