Enter to open, tab to navigate, enter to select
HHS Addresses Cybersecurity Incident Response Procedures Under HIPAA
Practical Law Legal Update w-037-3694 (Approx. 6 pages)
HHS Addresses Cybersecurity Incident Response Procedures Under HIPAA
by Practical Law Employee Benefits & Executive Compensation
| Published on 26 Oct 2022 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has issued subregulatory guidance addressing the procedures that covered entities (CEs) and business associates (BAs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should implement to respond to cybersecurity incidents involving electronic protected health information (ePHI). In issuing this guidance, HHS cited the rising number of cybersecurity incidents during 2022.
HHS's Office for Civil Rights (OCR) has issued subregulatory guidance addressing the procedures that HIPAA covered entities (CEs) and business associates (BAs) (collectively, entities) should implement to prepare for and respond to cybersecurity incidents involving electronic protected health information (ePHI) (OCR Cybersecurity Newsl. (Oct. 25, 2022)). In issuing this guidance, HHS cited the rising number of cybersecurity incidents during 2022 (to date).
For more information on HIPAA compliance, see HIPAA Privacy, Security, and Breach Notification Toolkit.
As background, the HIPAA Security Rule requires entities to develop and implement policies and procedures for reporting, responding to, and managing security incidents. These policies and procedures should address how to:
- Identify and respond to security incidents.
- Reduce the negative consequences of security incidents.
- Document security incidents and their related outcomes.
Forming Security Incident Response Teams
HHS's guidance encourages entities to create a security incident response team (SIRT) for identifying, responding to, and recovering from security incidents. Citing National Institute of Standards and Technology (NIST) guidance, HHS's guidance indicated that forming a SIRT should include the following steps:
- Choosing a team structure and team members with appropriate expertise.
- Establishing internal and external relationships and lines of communication between the SIRT and other groups.
- Identifying which internal departments may need to be involved in incident responses (for example, HR, legal, IT support, public affairs, business continuity, and facilities management).
- Identifying contacts for external groups that may need to be contacted after an incident (for example, law enforcement, network service providers, and hardware/software vendors).
- Deciding which types of services the team should provide.
The guidance also recommends that a SIRT routinely test and update the entity's security incident procedures, using scenarios such as a ransomware attack.
HIPAA Security Rule Standards for Addressing Security Incidents
Drawing from the HIPAA Security Rule, HHS's guidance outlines several steps that entities should take to protect against cyber threats.
Identifying Security Incidents
Regarding how to identify security incidents, HHS's guidance emphasizes the Security Rule's audit control standard, under which entities must use audit logs. These logs include hardware/software for recording and examining access and activity in information systems that contain or use ePHI (see Practice Note, HIPAA Security Rule: Physical Safeguards, Technical Safeguards, and Other Issues: Audit Controls). A related Security Rule standard requires entities to implement procedures to regularly review records of information system activity (for example, audit logs, access reports, and security incident tracking reports) (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Management Process).
According to HHS, maintaining and reviewing audit and system activity logs will help entities promptly identify and respond to security incidents.
Responding to Security Incidents
Under HHS's guidance, entities should take the following actions in developing their security incident procedures:
- Designating appropriate personnel as members of the SIRT (including external third parties).
- Adopting a communication plan (including team members' contact information) for notifying SIRT members of security incidents.
- Developing processes to assess the scope of a security incident (including forensic analyses).
- Drafting instructions for managing security incidents.
- Creating (and updating as needed) a list of computer systems and data that should be prioritized during a security incident response.
- Developing processes for:
- reporting security incidents (see generally Practice Note, HIPAA Breach Notification Rules);
- gathering and preserving evidence of the security incident (for example, log files); and
- regularly testing the entity's security incident response process.
HHS's guidance also encourages entities to develop specific processes addressing common security incidents (for example, ransomware and phishing attacks).
Mitigating Harmful Effects of Security Incidents
HHS's guidance addresses steps for mitigating the harmful effects of a security incident (after the incident is neutralized and any malware has been removed). These steps may include recovering and restoring systems and data. In this regard, HHS's guidance notes the importance—under HIPAA's Security Rule—of contingency plans for responding to security incidents involving ePHI (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Contingency Plan). Contingency plans must include data backup and recovery procedures.
Regarding data backup, HHS's guidance highlights the Cybersecurity and Infrastructure Security Agency's (CISA's) recommendations that entities keep:
- Three copies of data (one primary copy and two backup copies).
- Backups on two different types of media.
- At least one backup copy offsite.
In addition, HHS indicates that recovery from a security incident may involve at least one of the following CISA-recommended processes:
- Reimaging affected systems from backups.
- Rebuilding systems or hardware.
- Replacing compromised files with uncompromised versions.
- Installing updates and patches.
- Resetting passwords and implementing multi-factor authentication.
Documenting and Reporting Security Incidents
HHS's guidance also addresses the Security Rule requirement that entities document security incidents and their outcomes. According to HHS, these security incident procedures should address documentation of security incidents (for example, what types of information will be included).
The guidance reminds entities that HIPAA's breach notification rules require that:
- Breaches affecting more than 500 individuals be reported to affected individuals, OCR, and the media (if certain conditions are met) within 60 days of discovering the breach.
- Breaches affecting fewer than 500 individuals be reported to affected individuals within 60 days of discovering the breach and to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.
Practical Impact
HHS issued its latest cybersecurity guidance against a backdrop of increasing cybersecurity and data breaches, year-over-year (comparing 2022 to 2021). This past summer, as one example, a research university's health sciences center (a HIPAA CE) paid $875,000 to HHS to settle potential HIPAA violations after a hacker obtained individuals' ePHI by gaining access to the center's web server using uploaded malware. Among other actions, that settlement required the health sciences center to appoint an independent monitor to evaluate its HIPAA compliance efforts as part of an HHS-imposed corrective action plan. For more information, see Legal Update, Malware Cyberattack Leads to $875,000 HIPAA Settlement.