HIPAA requires ‘timely response’ for security incidents, says alert to health sector

People wait outside a hospital emergency room in Texas. (Photo by Brandon Bell/Getty Images)

Not only will a timely response to security incidents prevent and reduce recovery time from cyberattacks, the Health Insurance Portability and Accountability Act requires covered entities to implement policies to address incidents, according to the cyber bulletin from the U.S. Department of Health and Human Services’ Office for Civil Rights.

To OCR, the rise of hacking incidents across all sectors is cause for concern. About 74% of all healthcare data breaches reported to the agency in 2021 involved hacking or IT incidents, which makes hacking “the greatest threat to the privacy and security of protected health information.”

Consider the latest spate of cyberattacks and related periods of electronic health record downtime in healthcare. The outage at OakBend Medical Center in Texas lasted for about three weeks and led to care diversion during the initial days, as well as the theft of patient data. Patients were also hit with fraud attempts in the wake of the incident.

Meanwhile, CommonSpirit Health was struck with ransomware on Oct. 3 and has led to care disruptions at a portion of its 700 care sites and 142 hospitals across the country. Local media outlets note that many of these impacted hospitals are still working to recover several weeks after the attack. CommonSpirit has not issued an update since Oct. 17.

Based on the financial reports of health systems following several weeks of network outages, cyberattacks can cost upwards of $1 million per each day of downtime. For Scripps Health, a month of downtime after its 2021 cyberattack cost $122.7 million in lost revenue and recovery.

“Security incidents will almost inevitably occur during the lifetime of a regulated entity,” OCR officials wrote. Adhering to the HIPAA-required security incident response plan can enable providers to effectively pivot and recover from potential cyber incidents.

These plans should include methods for identifying and responding to security incidents, as well as mitigating possible harmful impacts and documenting each incident and the outcomes.

Incident response processes should begin with forming a team with…