HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Urges Covered Entities to Monitor and Report Cyber Threats

The healthcare system in the United States has suffered a barrage of cyberattacks in recent years and there is no sign that those attacks will ease. In all likelihood, attacks will increase in both number and severity.

To counter the increased threat, healthcare organizations, government agencies, the private sector, and international network defense communities must collaborate, says the Department of Health and Human Services’ Office for Civil Rights in its February newsletter.

It is the responsibility of healthcare organizations to keep abreast of the latest cyber threats to enable them to take timely action to mitigate risk. Threat intelligence is available from many organizations, although as a minimum, healthcare organizations should be regularly checking the cyber threats published by the United States Computer Emergency Readiness Team (US-CERT).

OCR explains that US-CERT – one of the four branches of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) – provides actionable threat intelligence to the public and private sector, government agencies and critical infrastructure owners. US-CERT collects and analyses its own data, but also intelligence submitted by its partners.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Information on the latest threats is published on its website, along with recently discovered vulnerabilities, mitigations for known vulnerabilities, and details of the latest patches. Organizations can also sign up for e-mail alerts from US-CERT via its website.

The value of the information provided by US-CERT was highlighted by a report on Grizzly Steppe activity, published on February 10, 2017. Grizzly Steppe is the name given to a campaign run by Russian civilian and military intelligence services targeting the U.S government and private sector organizations, including healthcare organizations. The activity report details the methods used by the threat actors to gain access to systems along with techniques that can be adopted to mitigate the threat and defend against spear phishing and webshell attacks.

Armed with this information and intelligence on other network and data security threats, healthcare organizations can ensure action is taken to counter threats to the confidentiality, integrity, and availability of ePHI. OCR recommends US-CERT reports and alerts should be obtained by all HIPAA covered entities and their business associates as part of the HIPAA Security Management Process.

Healthcare organizations should also play a part in improving awareness of the latest cybersecurity threats by sharing reports of suspicious activity with US-CERT. OCR suggests “Covered entities should report to US-CERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.”

While threat intelligence and details of security incidents should be submitted, covered entities are not permitted to share any ePHI with US-CERT unless the disclosure is otherwise permitted under HIPAA Rules (Details of allowable disclosures of ePHI are available on this link).

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.