In the aftermath of the recent WannaCry ransomware attack and the May 12, 2017 notification from Laura Wolf, Critical Infrastructure Protection Lead of Health and Human Services (HHS) discussed in Cinthia Motley’s May 13, 2107 Alert:  Ransomware – a Global Wake-Up Call, the HHS Office of Civil Rights “OCR”) issued a Quick Response Cyber Attack checklist and graphic on June 9, 2017. The checklist and the corresponding infographic outline the following steps a HIPAA covered entity and  business associates need to consider taking in response to a cyber-related security incident:

  1. Execute its response and mitigation procedures and contingency plans.
  2. Report the crime to law enforcement agencies.
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
  4. Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

While all of these steps may not necessarily apply to all situations, we recommend that HIPAA covered entities and business entities review their current IRP and procedures and compare them to the OCR checklist. As noted in the OCR checklist, the OCR considers all mitigation efforts taken by the entity during any breach investigation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and ISAOs. As noted in the OCR graphic, even if there is not a breach, the entity must document and retain all information considered during the risk assessment of the cyber-attack, including how it determined that no breach occurred.

If you are concerned that your business does not have the proper IRP or needs assistance in developing one, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com. or Carol Gerner (312) 849-1959 or carol.gerner@sedgwicklaw.com.