OCR Urges Cyber Threat Monitoring

In February 2017, the U.S. Department of Health and Human Services Office for Civil Rights released guidance on reporting and monitoring cyber threats.¹ The Guidance was in response to September 2016 U.S. Government Accountability Office findings that data breaches impacting health care records of 500 or more individuals increased from only 10 in 2010 to 56 in 2015, and GAO’s subsequent recommendation that OCR update its guidance for protecting electronic health information.²

The Guidance encourages covered entities and business associates to report suspicious activity, including cybersecurity incidents, cyber threat indicators, phishing incidents and the like to the U.S. Computer Emergency Readiness Team, a branch of the National Cybersecurity and Communications Integration Center within the Department of Homeland Security, which provides analytic perspectives, ensures shared situational awareness, and orchestrates response and mitigation related to cybersecurity incidents. US-CERT’s mission is to develop timely and actionable information on threats, to respond to cybersecurity incidents, and to analyze data it independently collects and data it receives from partners. US-CERT is uniquely positioned to provide insight about cybersecurity efforts and also to benefit from information shared with it regarding cybersecurity incidents. OCR notes, however, that Protected Health Information may not be shared for purposes of divulging cyber threat indicators unless the disclosure is otherwise permitted under the Health Insurance Portability and Accountability Act Privacy Rule.³

In addition to sharing information with US-CERT, OCR urges covered entities and business associates to monitor US-CERT’s website or sign up for email alerts for reports on current threats and for prompt access to patches and mitigations, when available. Monitoring such information, OCR notes, enables business associates and covered entities to leverage it for meeting administrative safeguard obligations under the Security Rule toward protecting Electronic Protected Health Information.⁴

Historically, breaches of the Security Rule have contributed to substantial penalties for HIPAA violations. For example, a 2014 breach by New York-Presbyterian Hospital and Columbia University, in which the entities exposed ePHI of 6,800 individuals by inadvertently making it accessible to Internet search engines, resulted in a settlement agreement including over $4.8 million in payments by the entities.⁵ One of OCR’s findings in investigating that violation was that the entities failed to develop adequate risk management plans to address potential security threats to patient information.

Although the Guidance is non-binding, covered entities and business associates should consider implementing OCR’s suggested monitoring of US-CERT’s website and/or signing up for email alerts for reports on current threats. Additionally, compliance programs should include procedures for promptly addressing such threats when US-CERT provides mitigation steps or such steps are otherwise available. Failure to identify and mitigate threats when information is available from US-CERT, which would facilitate doing so, could weigh against a covered entity or business associate in OCR’s evaluation of whether an adequate risk management plan is in place as required by the Security Rule.

¹ Department of Health and Human Services, Office for Civil Rights, "Reporting and Monitoring Cyber Threats" (Feb. 2017), available at time of publication at https://www.hhs.gov/sites/default/files/february-2017-ocr-cyber-awareness-newsletter.pdf.
² U.S. Government Accountability Office, "HHS Needs to Strengthen Security and Privacy Guidance and Oversight" (GAO-16-771, Aug. 26, 2016), available at http://www.gao.gov/products/GAO-16-771.
³ 2027 - Office for Civil Rights CISA 2015 FAQ, "May a HIPAA covered entity or its business associate disclose protected health information (PHI) for purposes of cybersecurity information-sharing of cyber threat indicators?" available at https://www.hhs.gov/hipaa/for-professionals/faq/2072/covered-entity-disclose-protected-health-information-purposes-cybersecurity-information-sharing/.
⁴ See The Guidance (citing 45 C.F.R. § 164,308(a)(1)); Department of Health and Human Services, Office for Civil Rights, "Summary of HIPAA Security Rule," available at https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/.
⁵ See New York Presbyterian Hospital Resolution Agreement, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf; Columbia University Resolution Agreement, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf.