The worldwide WannaCry ransomware attack that began in Europe on May 12, 2017 may still be fresh on your memory. On June 9, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a quick-response checklist for Health Insurance Portability and Accountability Act (HIPAA) Covered Entities and Business Associates who experienced a ransomware attack or other cyber-related security incident. The checklist requires that, in the event of such an incident, the affected entity should:
- Execute its existing response and mitigation procedures and contingency plans (mandatory);
- Report the crime to the appropriate law enforcement agencies, which may include state or local law enforcement, the FBI and/or the Secret Service;
- Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs); and
- Report the breach to OCR as soon as possible (mandatory).
OCR considers all mitigation efforts taken by the entity during any particular breach investigation, including voluntary sharing of breached-related information with law enforcement agencies and other federal and analysis organizations. As a result, it is important for Covered Entities and Business Associates to understand the procedures on OCR’s checklist.