OCR Urges Covered Entities to Monitor and Report Cyber Threats

Share this article on:

The healthcare system in the United States has suffered a barrage of cyberattacks in recent years and there is no sign that those attacks will ease. In all likelihood, attacks will increase in both number and severity.

To counter the increased threat, healthcare organizations, government agencies, the private sector, and international network defense communities must collaborate, says the Department of Health and Human Services’ Office for Civil Rights in its February newsletter.

It is the responsibility of healthcare organizations to keep abreast of the latest cyber threats to enable them to take timely action to mitigate risk. Threat intelligence is available from many organizations, although as a minimum, healthcare organizations should be regularly checking the cyber threats published by the United States Computer Emergency Readiness Team (US-CERT).

OCR explains that US-CERT – one of the four branches of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) – provides actionable threat intelligence to the public and private sector, government agencies and critical infrastructure owners. US-CERT collects and analyses its own data, but also intelligence submitted by its partners.

Information on the latest threats is published on its website, along with recently discovered vulnerabilities, mitigations for known vulnerabilities, and details of the latest patches. Organizations can also sign up for e-mail alerts from US-CERT via its website.

The value of the information provided by US-CERT was highlighted by a report on Grizzly Steppe activity, published on February 10, 2017. Grizzly Steppe is the name given to a campaign run by Russian civilian and military intelligence services targeting the U.S government and private sector organizations, including healthcare organizations. The activity report details the methods used by the threat actors to gain access to systems along with techniques that can be adopted to mitigate the threat and defend against spear phishing and webshell attacks.

Armed with this information and intelligence on other network and data security threats, healthcare organizations can ensure action is taken to counter threats to the confidentiality, integrity, and availability of ePHI. OCR recommends US-CERT reports and alerts should be obtained by all covered entities and their business associates as part of the HIPAA Security Management Process.

Healthcare organizations should also play a part in improving awareness of the latest cybersecurity threats by sharing reports of suspicious activity with US-CERT. OCR suggests “Covered entities should report to US-CERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.”

While threat intelligence and details of security incidents should be submitted, covered entities are not permitted to share any ePHI with US-CERT unless the disclosure is otherwise permitted under HIPAA Rules (Details of allowable disclosures of ePHI are available on this link).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On