HHS gives providers cyber-attack advice

Share this content:

Healthcare providers should act quickly to stop and report cyber security related-incidents within their facilities, the Department of Health and Human Services Office for Civil Rights urged in a recently published checklist

The HHS guide offers HIPAA-covered entities step-by-step recommendations for how to handle a cyber-related event, such as a ransomware attack, beginning with immediately executing their response procedures and contingency plan. Providers should fix any technical issues and stop the incident. They then should mitigate any “impermissible disclosure” of protected health data whether through in-house efforts or with help from an outside entity. 

The checklist also encourages providers to report the event to other law enforcement agencies, federal organizations and to OCR. For attacks affecting 500 or more people, providers must inform OCR no later than 60 days after discovering the incident.

“OCR considers all mitigation efforts taken by the entity during in any particular breach investigation,” the checklist, released Thursday, reads. “Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations.”

Federal health officials have previously stressed the importance of disaster preparedness when it comes to cyber security issues, suggesting an “all-hazards approach” could help providers ward off attacks. The checklist release also follows a recent cyber attack that shut down the England's National Health Service; experts say the system's aging computer system gave hackers a way to demand ransom in exchange for giving providers access to medical records.