HHS Cybersecurity Guidance - You Still Have Work to Do

Clark Hill PLC
Contact
LinkedIn
Facebook
X
Send
Embed

The U.S. Department of Health and Human Services Office for Civil Rights ("HHS") recently issued a quick response checklist to outline steps a HIPAA covered entity or business associate should take in response to a cyber-related security incident. The HHS checklist offers general, step-by-step guidance for healthcare providers in the event of a security incident that includes: (1) immediately executing response procedures and contingency plans to fix technical problems to stop a security incident; (2) reporting a security incident to appropriate law enforcement agencies; (3) reporting all cyber threat indicators to federal and information-sharing analysis organizations; and (4) reporting a breach to the HHS as soon as possible (but no later than 60 days after the discovery of a breach affecting 500 or more individuals). 

While the HHS checklist is certainly a practical resource for healthcare providers, it does not (and absolutely should not) alleviate a healthcare provider's responsibility to create, implement, and continuously test/update an incident response plan ("IRP") tailored to that provider's circumstances and vulnerabilities. Relying solely on the HHS checklist without an IRP will surely result in panic-based reactions with no structure to guide next steps when a cyber-related security incident inevitably occurs. Further, because of the strict requirements contained in the HIPAA Security Rule - including a duty to identify and respond to security incidents, mitigate harmful effects, and document security incidents and outcomes - a healthcare provider must be particularly vigilant in being cyber-prepared. 

Effective and adequate cybersecurity requires early preparation to ensure an appropriate and effective response later. The HHS checklist, though helpful, should be viewed merely as one of a multitude of best practice guides issued by federal agencies for health care providers and other businesses in developing and implementing cybersecurity measures. For more information about how to best respond to a cyber-related security incident and protect your business against a cyber-attack, see the Department of Justice's Incident Response Procedure Instructions or the Federal Trade Commission's Data Breach Response Guide.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC
Clark Hill PLC
Contact
more
less

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide