June 12, 2017. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) published on June 8, 2017 via its SecurityList “OCR Quick Response Cyber Attack Checklist and Graphic.” The Checklist is entitled: My entity just experienced a cyber-attack! What do we do now? – A Quick-Response Checklist from the HHS, Office for Civil Rights (OCR).
The subject areas in this document, for which important is provided in the document, are:
- “Must execute its response and mitigation procedures and contingency plans.
- “Should report the crime to other law enforcement agencies.
- “Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
- “Must report the breach to OCR as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.”
Be sure to read the footnoted information pertaining to these headings, much of which relates to complying with the HIPAA Privacy and Security Rules and the HITECH Act Breach Notification Rule.
The Graphic is entitled: Cyber-Attack Quick Response. The Graphic asks: “Experienced a ransomware attack or other cyber-related security incident? This Cyber-Attack Quick Response guide will explain steps that a HIPAA covered entity or its business associate should take to respond.” The Graphic should be reprinted and posted in break rooms, discussed in workforce member meetings, and included as a specific topic in safeguard training sessions. HIPAA Integrity® provides written policies and procedures and guidance for complying with events that are covered in the Checklist and Graphic.