Reprinted with Permission from the Birmingham Medical News
Everywhere you look these days, there seems to be another report of cyber-attacks which do not discriminate based on industry type, size of business, or impact. In other words, everyone is vulnerable. In fact, the phrase, “it is not if it happens, it is when it happens” has become commonplace when discussing security incidents.
Given the number of incidents occurring within the healthcare industry, over the past few months, the Office of Civil Rights (“OCR”), the entity overseeing compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and its implementing regulations, has issued extensive guidance on monitoring cyber threats and responding to cyber attacks. One theme throughout the OCR guidance is reporting the incident to various governmental authorities. However, while governmental reporting can have significant benefits, any disclosure of a cyber-incident needs to be carefully considered and analyzed.
In February, OCR issued guidance on reporting and monitoring cyber threats. In the February guidance, OCR encourages covered entities and business associates to report cyber security incidents, cyber threat indicators, and phishing incidents to the United States Computer Emergency Readiness Team (“US- CERT”), a branch within the Department of Homeland Security. US-CERT develops information on cyber security incidents, responds to incidents, and analyzes data regarding incidents. In addition, the February guidance encourages covered entities and business associates to sign up to receive email alerts from US-CERT regarding known patches and mitigations.
Download the full article, “Cyber Threats Equal Serious Threats” written by Kelli Carpenter Fleming.