Medicare Compliance & Reimbursement

HIPAA Toolkit:

Create an Incident Response Team With These Tips

Add incident response to your annual HIPAA risk assessment.

Securing your patients’ protected health information (PHI) is critical from both a professional and financial standpoint. No matter whether you outsource IT security or handle it internally, you should have a plan in place on how to respond to data security problems, including a dedicated incident response team.

Why? Under the HIPAA Security Rule, covered entities (CEs) and their business associates (BAs) are tasked with safeguarding ePHI, which “identifies individuals and includes information relating to an individual’s health, treatment, or payment information” and “is a valuable target for cyber-criminals,” reminds the HHS Office for Civil Rights (OCR) in the October 2022 Cybersecurity Newsletter. Additionally, analyzing threats, implementing policies and procedures, documenting issues and incidents, and responding to and managing problems are all requirements under the Rules — and CEs and BAs are held accountable post-breach for their protocols and actions.

Facts: “In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks,” OCR says. At press time, 516 HIPAA breaches were reported in 2022 and under investigation by the feds, but more importantly, a whopping 415 of that total were due to a hacking or IT incident, according to the OCR breach portal.

Plus: On Oct. 21, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) released a joint cybersecurity advisory on the “Daixin Team,” the latest ransomware threat to hit the healthcare sector. “The Daixin Team … deployed ransomware to encrypt servers responsible for healthcare services — including electronic health records services, diagnostics services, imaging services, and intranet services, and/or exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid,” the advisory says.

As of Oct. 2022, CISA has received the most ransomware complaints — more than 25 percent of the total — from the healthcare sector, out of 16 critical infrastructure sectors the agency monitors, the advisory adds.

Consider This Advice on Incident Response Management

Depending on the size and scope of your organization, you may bristle at allocating funds for HIPAA compliance. Statistics show that data security is an area that your practice may want to invest in, since “security incidents will almost inevitably occur during the lifetime of a regulated entity,” OCR reminds.

There are real and existential costs to contend with, however — particularly for smaller organizations, explains Adam Kehler, director of RSP Healthcare Services at Online Business Systems. “Small practices are at a distinct disadvantage when it comes to procuring IT and cybersecurity services. This is especially true in rural areas,” Kehler cautions. “Often they will hire the only local IT shop or an independent person that someone at the practice knows.”

He adds, “I’ve seen practices where the doctor’s spouse, sibling, or niece/nephew becomes the de facto IT person. The challenge is that just because someone can configure a firewall, doesn’t make them knowledgeable in information security and compliance.”

Cybersecurity on its own is a very diverse and nuanced field. The business of securing health data with the overlap of the various constraints, safety concerns, and regulations adds another layer of complexity and necessitates expertise in the field, suggests Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst, with Security Metrics in Orem, Utah. “Many people believe their IT people are cybersecurity professionals.”

Stone continues, “This critical misunderstanding happens in practices of all sizes, whether they have on-site staff or outsource their technology needs. While some IT groups do know and implement security, that isn’t their primary function.”

OCR offers insight on starting the process of creating a security incident response team. Here are four items to consider, according to the Cybersecurity Newsletter:

1. Staff the team with subject-matter experts. Whether you use in-house employees or hire an IT vendor, make sure your security incident response team knows the Rules and the requirements. Your structure should “use a centralized or distributed model, staff[ed] with full-time employees or partially outsource[d],” OCR says. And “ensure team members have appropriate expertise — organizational and technical.”

2. Make communicating incidents a priority. Your team must establish “relationships and lines of communication between the security incident response team and other groups (both internal and external),” OCR advises.

3. Determine auxiliary staff that need notification after a data security incident occurs. Your team needs to identify “points of contact at external groups that may be helpful to include in the event of an incident (e.g., network service providers, software and hardware vendors, local and federal law enforcement, incident handling teams of business partners and customers),” OCR warns.

4. Formulate a checklist of what the team’s objectives are. Your design plan should determine “what services the security incident response team should provide (e.g., intrusion detection, advisory distribution, education and awareness, information sharing),” OCR says.

Reminder: Similar to managing your organization’s issues after your annual risk analysis, a security incident response team’s job is ongoing and evolves depending on threats and incidents. Your team needs to stay on top of testing for potential threats, training staff, updating and employing software, and more.

Resources: Check out the Cybersecurity Newsletter at www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2022/index.html and review the joint advisory at www.cisa.gov/uscert/ncas/alerts/ aa22-294a.