OCR Provides Guidance for Reporting and Monitoring Cyber Threats

The U.S. healthcare community has endured a seemingly constant string of data breaches and cyber threats in recent years. Unfortunately, cyber attacks show no indication of slowing down and most likely, will increase in number and severity for the foreseeable future.

In their February newsletter, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) addressed the increasing threats and asked healthcare organizations, government agencies, the private sector and international network defense communities collaborate with each other.

Along with the request for increased collaboration, OCR introduced the National Cybersecurity and Communications Integration Center (NCCIC) which “lives” within the Department of Homeland Security and is tasked with “operating at the intersection of government, private sector, and international network defense communities, applying unique analytic perspectives, ensuring shared situational awareness, and orchestrating synchronized response, mitigation, and recovery efforts while protecting the Constitutional and privacy rights of Americans in both the cyber security and communications domains.”

One of NCCIC’s four branches is the United States Computer Emergency Readiness Team (US-CERT) which develops timely and actionable information on threats to the federal and state governments, critical infrastructure owners, international organizations, and private industry. US-CERT responds to cyber security incidents and analyzes data it collects itself and from partners about emerging cyber threats. Covered entities should report to US-CERT any suspicious activity, including cyber security incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.

As a basic precaution, healthcare organizations should be regularly checking the latest cyber threats published by US-CERT as part of their security protocol. US-CERT makes this information available on their website which includes recently discovered vulnerabilities, mitigation’s for known vulnerabilities, and details of the latest patches. Additionally, organizations can sign up to receive email alerts from US-CERT on their website.

Bottom line, covered entities and business associates must remain vigilant about researching the latest cyber threats and if necessary, take timely action to mitigate any risks. The information found on the US-CERT’s website and emails can be leveraged as part of a robust HIPAA security management program to help ensure the confidentiality, integrity and availability of ePHI.

Speak Your Mind

*